CONTINENTAL  DIVIDE:  WHY  AMERICANS  AND  EUROPEANS  CLASH  OVER  PRIVACY 


BETTER  LIVING 
THROUGH 
CHEMISTRY 

How  one  industry 
has  pulled  together 
to  avoid  disaster 

PAGE  28 


THE  RESOURCE  FOR  SECURITY  EXECUTIVES 


IMMUNE  SYSTEMS 

Can  a  bioterrorism 
task  force  create  an 
early  warning 
infrastructure? 

PAGE  42 


TALES  FROM 
THE  ENCRYPTED 

The  murky  past— 
and  the  even 
murkier  future— 
ofPKI. 

PAGE  57 


It’s  the  dirtiest  little  secret  in  the 
software  industry:  Patching  no 
longer  works.  And  there’s 
nothing  you  can  do  about  it. 
Except  maybe  patch  less. 


Bob  Wynn,  CISO  of 
the  state  of  Georgia 


Or  possibly  patch  more 


August  2003  $9  00 

www.csoonline.com 


Introducing  fully-integrated 
client  security.  The  Symantec 
revolution  continues. 


The  secure  enterprise  is  here.  Now  the  revolution 
that  began  at  the  gateway  with  Symantec™  Gateway 
Security  has  spread  to  desktops  and  laptops. 
Introducing  Symantec™  Client  Security  the  world's 
first  comprehensive ,  fully-integrated  client  security 
solution.  It  seamlessly  integrates  the  critical 
tools — intrusion  detection,  client  firewall  and 
virus  protection — into  a  powerful,  cohesive  defense. 
By  working  as  a  unified  system  to  scan  both 
inbound  and  outbound  traffic,  it  allows  you  to  better 
detect,  contain  and  eliminate  complex  blended 
threats  like  Nimda  and  Code  Red.  And  to  help  you 
manage  it  all,  a  centralized  console  lets  you  install, 
configure  and  monitor  all  components  from  a  single 
workstation.  The  revolution  continues.  Join  it  at 
http://ses.symantec.com/CDl  or  call  800  /4b  6054 
and  we'll  send  you  our  multimedia  CD,  " The  Symantec 
Integrated  Security  Solution. " 


Symantec 


I  AM  A  SNARLING 
PACK  OF 
DOBERMANS. 

I  AM  INTEGRATED  SECURITY.  I  HAVE  THE  POWER  TO  PROTECT 
YOUR  NETWORK  FROM  THE  INSIDE,  THE  OUTSIDE  AND  FROM 
EVERYWHERE  IN  BETWEEN.  I  ALWAYS  KNOW  WHO  IS  ON  THE 
GUEST  LIST  AND  HAVETHE  POWERTO  DENYTHOSEWHO  AREN'T 
ON  IT.  I  SNIFF  OUT  THREATS  SO  YOU  CAN  STAY  PRODUCTIVE. 

I  AM  MORE  THAN  A  CISCO  3700  ROUTER. 


THIS  IS  THE  POWER  OF  THE  NETWORK.  IIOW. 


Cisco  Systems 


cisco.com/securitynow 


August  2003 

VOL. 2.  NO. 8 


cover  photo  by  IN  EVERY  ISSUE  6  CSOonline.com  8  Letter  from  the  Editor  10  Letters  62  Index 

Stan  Kaady 


4  www.csoonline.com  August  2003 


COLUMNS 

24  Protect  What’s  Yours 

SECURITY  COUNSEL  Hewlett-Packard  Chief  Security 
Strategist  Ira  Winkler  answers  readers’  questions  about 
securing  intellectual  property  and  handling  corporate 
espionage. 

26  The  Highs  (and  Lows)  of  the  CSO 

FLASHPOINT  Pity  the  public-sector  CSO.  He  has  to 
overcome  all  the  typical  security  pitfalls— and  he  gets 
to  do  it  all  in  a  bureaucratic  fishbowl. 

By  David  H.  Holtzman 

60  Value  Proposition 

CSO  UNDERCOVER  If  you’re  going  to  sell  security  to  your 
CFO— and  others  in  the  organization— you’d  better 
know  what  matters  to  them. 

DEPARTMENTS 

15  Briefing 

Hold  the  Bioterrorism;  Will  Hunt  Al-Qaida  for  Food; 
Award-Winning  Stupidity;  Is  Spam  Cooked?;  It’s  in 
Committee 

22  Wonk 

Carry  on:  The  TSA  cut  its  staff  for  several  reasons:  Its 
budget  was  slashed,  it  overhired— and  some  of  those 
hires  were  convicted  felons.  By  Julie  Hanson 

57  Machine  Shop 

What  every  CSO  needs  to  know  about  PKI. 

By  Simson  Garfinkel 

TOOLBOX  Fraud  detection  through  pattern  recognition 
technology 

64  Debriefing 

WHERE  ARE  THEY  NOW?  Catching  up  with  Melissa. 


34  cover  story  Patch  and  Pray 

SOFTWARE  SECURITY  Patching— the  only  way  to  prevent 
poorly  designed  software  from  breaking  everything— no 
longer  works.  And  there’s  nothing  you  can  do  about  it. 
Except  maybe  patch  less.  Or  possibly  patch  more. 

By  Scott  Berinato 


42  Immune  Systems 

BIOTERRORISM  Health  officials  are  working  toward  a  sophis¬ 
ticated  IT  network  that  could  detect  the  early  warning  signs 
of  bioterrorism,  but  formidable  obstacles  remain. 

By  Sarah  D.  Scalet 


50  Privacy’s  New  Image 

PRIVACY  America’s  new  rules  of  privacy  are  coming  from 
the  Old  Country.  Here’s  how  Europe  is  getting  America  to 
rethink  privacy.  By  Daintry  Duffy 


28  Bonding  Time 

INDUSTRY  PROFILE:  CHEMICALS  Chemical  companies  maybe 
terrorist  targets.  The  industry  is  pulling  together  to  tighten 
physical  and  electronic  security,  but  it  still  faces  a  troubling 
mixture  of  vulnerabilities.  By  Boh  Violino 


INTRUDER 
ACCESS  DENIED 


Keep  your  on-screen  information  to  yourself  with  a  3M™  Privacy  Computer  Filter. 
It  allows  only  persons  sitting  directly  in  front  of  the  monitor  to  see  on-screen  data. 
Prying  eyes  on  either  side  just  see  a  dark  black  screen.  Available  in  styles  and 
sizes  to  fit  most  CRT  and  notebook  or  desktop  LCD  monitors. 

For  more  information: 

800-553-9215 

www.3M.com/computerfilters 
vikuiti@3M.com 


Innovation 


Vikuiti  ™ 

Display  Enhancement 


©  3M  2003  3M,  Vikuiti  and  the  Vikuiti  “Eye”  symbol  are  trademarks  of  3M. 


081 

we 

CSOQ 


e.com 


■  mi 


Security  Counsel 

This  month,  Fiona 
Williams,  a  partner  in 
Deloitte  &  Touche  Secu¬ 
rity  Services  Practice, 
will  be  available  online 
to  answer  your  ques¬ 
tions  about  the 
Sarbanes-Oxley  Act.  Visit  SECURITY 
COUNSEL  to  post  a  question. 
www.csoonline.com/counsel 


t  :  j 

’sSSii 

■I'  - 


Fiona  Williams 


Daily  Dose  of  CSO 

Bookmark  CSOonline  so  you  won’t  miss 
the  new  content  we  post  each  weekday. 
Here’s  a  rundown  of  what  you’ll  find: 

MONDAY 

TALKBACK  Tell  us  what  you  think. 
Can  your  employees  be  too  security 
conscious?  Visit  each  week  to  share 
your  opinion  on  this  and  other  controver¬ 
sial  security  topics. 

www.rsnnnline.  r.nm/talkhark 


Research  Centers 

Dig  deep  on  a  topic  by  browsing 
CSOonline’s  RESEARCH  CENTERS  for 
articles,  interviews,  webcasts  and  links. 

SECURITY  EXECUTIVE 

Get  to  know  yourself  and  your  peers. 

www.csoonline.com/executive 
LEGISLATION  &  POLICY 
Keep  an  eye  on  Washington. 
www.csoonline.com/legislation 
THREATS  &  RECOVERY  Secure  the 
perimeter,  www.csoonline.com/threats 
STRATEGY  &  MANAGEMENT 
Set  a  course  for  the  future. 
www.csoonline.com/strategy 

Free  Newsletters 

CSO  newsletters  delivered  right  to  your 
inbox  for  free.  CSO  UPDATE  highlights 
CSOonline’s  most  recent  content.  CSO 
WANTED  UPDATE  alerts  you  to  the  latest 
openings  in  our  job  database. 
www.csoonline.com/newsletters 

Get  Alarmed 

Read  informed  opinions  on  security  and 
privacy  topics  from  GSO’s  outspoken 
experts,  Senior  Editor  Scott  Berinato  and 
Senior  Writer  Sarah  D.  Scalet.  Read 
ALARMED  twice  a  month. 
www.csoonline.com/alarmed 


TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote 
in  our  weekly  security  poll.  You  may  also 
check  the  results  of  previous  polls,  such  as 
“Should  the  same  person  head  up  IT  secu¬ 
rity  and  physical  security?”  A  majority 
(56  percent)  of  respondents  answered  no. 
www.csoonline.com/poll 

WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  in  one  convenient 
package.  In  a  recent  report,  Robert  Frances 
Group  shed  light  on  the  new  and  improved 
security  protocols  for  WLANs  and  warns 
security  executives  that  potential  pitfalls 
remain. 

www.csoonline.com/analyst 

THURSDAY 

METRICS  Did  you  know  that  corporate 
losses  caused  by  spam  will  reach 
$198  billion  by  2007?  Visit  each  week  for 
the  statistics  that  matter  to  security  pro¬ 
fessionals.  www.csoonline.com/metrics 

FRIDAY 

POLITICS  &  POLICY  Read  our  weekly 
recap  of  action  on  the  Hill.  Get  the  full  text 
of  bills  before  the  House  and  Senate,  and 
blurbs  about  other  legislative  activity— 
from  inside  the  Beltway  and  out. 
www.csoonline.com/politics 


President  Walter  Manninen 
Group  Publisher  Gary  J.  Beach 
Publisher  Bob  Bragdon 

EDITORIAL 

Editor  in  Chief  Lew  McCreary 
Executive  Editor  Derek  Slater 
Managing  Editor  Elaine  M.  Cummings 
Managing  Editor,  Production  Cheryl  R.  Asselin 
Senior  Editors  Scott  Berinato,  Daintry  Duffy 
Research  Editor  Lorraine  Cosgrove  Ware 
Senior  Writer  Sarah  D.  Scalet 
Editor  at  Large  Simson  Garfinkel 
Copy  Chief  Tom  Wailgum 
Asst.  Managing  Editor,  Production  Kathleen  S.  Carr 

Copy  Editors  Kelli  A.  Gauthier  (Assoc.), 
Emily  S.  Henderson,  Sarah  Johnson  (Assoc.) 

Special  Projects  Manager  Lynne  Z.  Rigolini 
Editorial  Resource  Manager  Carol  Zarrow 
Editorial  Assistants  Daniel  J.  Horgan,  Joe  Sullivan 

Contributors  David  H.  Holtzman,  Paul  Roberts, 
Bob  Violino,  Ira  Winkler 

Editorial  Operations  Specialist  Julie  Hanson 

DESIGN 

Executive  Director,  Art  and  Design  Mary  Lester 
Art  Director  Steve  Traynor 
Senior  Designer  Chandra  Tallman 
Design  Operations  Specialist  Rachel  Barnett 

ONLINE  EDITORIAL 

Web  Editorial  Director  Art  Jahnke 
Consulting  Editor  Janice  Brand 
Web  Editor  Sandy  Kendall 
Web  Writer  Jon  Surmacz 

ONLINE  &  INFORMATION  SYSTEMS 

Chief  Information  Officer  Mark  Hall 

ONLINE 

Senior  VP/General  Manager,  Online  Tim  Horgan 
Executive  Web  Editor  Martha  Heller 
Online  Technology  Director  Dagmar  Eiben 
Senior  Web  Developer  Ellen  Morey 
Director  of  Online  Research  Kathleen  Kotwica 
Audience  Development  Manager  Andrew  Burrell 
Web  Developers  Diane  Chen,  Shannon  Macdonald 
Online  Content  Researcher  Tara  Gillet-Liloia 
Designer  Graham  White 
INFORMATION  SYSTEMS 
Infrastructure  Manager  James  C.  Burgoyne 
User  Services  Manager  Ron  Bettencourt 

Senior  User  Services  Specialists  Michael 
Fahlsing,  Jonathan  Frappier 

Systems  Administrator  Robert  Reagan 


Founder  Joseph  L.  Levy 

INTERNATIONAL  DATA  GROUP 

Board  Chairman  Patrick  J.  McGovern 
CEO  Pat  Kenealy 

BPA  INTERNATIONAL  MEMBERSHIP 

Applied  for  August  2002 
©  CXO  Media  Inc. 


6  www.csoonline.com  August  2003 


SB^SggMpijfe 

1||§PP 


INTRODUCING  REALSECURE 
NETWORK  7.0. 


RealSecure  Network  7.0 


Unified  protocol  analysis  and  pattern  matching  -  that  works 
Analyzes  95  network  protocols  -  catching  even  unknown  attacks 
Nonstop  protection  at  network  speeds  up  to  IGbps 
Backed  by  X-Force  "  the  world’s  #7  security  intelligence  team 


RELEASED  JUST  AHEAD  OF 
EVIL  THREAT  6.8. 


Dynamic  Threat  Protection.  The  most  complete  protection  available.  Leading  edge  detection,  prevention 

and  response  that  stops  the  bad  guys  cold.  That’s  RealSecure®  Network  7.0.  Our  solution  offers  the  most  accurate  protection  at 
network  speeds  without  slowing  you  down.  Plus,  our  SiteProtector  ™  centralized  management  system  makes  protecting  a  large  network 
as  simple  as  the  click  of  a  mouse.  Or,  let  us  do  it  for  you  with  our  24/7  Managed  Protection  Services.  Keep  evil  one  step  behind.  Find 
out  why  RealSecure  is  the  market  share  leader,  visit  www.iss.net/iss-cso  or  call  us  at  800-776-2362. 


NSS 

approved 


Internet 

Security 

Systems 


the  Editor 


m 


Hope  for  the  Cybersilent  Majority 

One  of  the  large  problems  that  besets  the  information 
security  practice  is  an  understandable  reticence  among 
the  victims  of  cyberattacks  to  come  forward  and  share 


the  experience  with  the  rest  of  us.  In  industries  where  reputation  is  everything, 
it’s  a  bit  of  a  nonstarter  to  contemplate  standing  up  and  declaring  that  Russian 
mobsters  made  off  with  100,000  of  your  customers’  credit  card  numbers. 

Yet,  the  silence  of  the  victimized  has  its  own  harmful  consequences.  Our 
ability  to  prevail  over  cybercrime  depends  to  a  high  degree  on  building  a  fund 
of  information  about  the  ways  in  which  such  attacks  are  carried  out.  In  order  to 
discern  meaningful  intrusion  patterns,  we  need  to  collect  enough  data  from 
which  similarities  can  emerge.  What  are  the  attacks  targeting?  How  many  carry 
a  payload?  And  what  are  the  signature  attributes  of  perpetrators  engaged  in 
various  types  of  attacks?  The  sooner  revealing  data  is  gathered,  the  sooner 
those  signatures  will  become  apparent. 

This  is  Crime-Fighting  101. 

I  recently  discussed  the  problem  with  Paul  Maeder,  the  managing  general 
partner  at  Highland  Capital  Partners,  a  venture  investment  firm  based  in  Lex¬ 
ington,  Mass.,  who  pays  close  attention  to  the  security  space.  The  challenge, 
he  says,  is  to  take  the  analysis  of  network  breaches  up  a  couple  of  notches,  to 
the  point  where  “intentions  can  be  inferred.”  That’s  a  tall  order  requiring  an 
array  of  highly  granular  raw  data.  That  kind  of  depth  depends  on  forensic 
information-gathering  and  candid  disclosure  of  the  findings. 

Until  there’s  a  trusted  and  widely  used  mechanism  for  information-sharing 
about  all  manner  of  anomalous  cyberactivity,  efforts  to  defend  against  potentially 
calamitous  attacks  will  be  hampered,  leaving  everyone  more  vulnerable. 

How  do  we  provide  incentives  for  the  necessary  level  of  cooperation?  Maeder 
cites  a  potentially  useful  model  that  businesses  should  consider  emulating:  the 
nearly  30-year-old  alliance  between  the  FAA  and  NASA.  Behaving  as  a  trusted 
third  party,  NASA  collects  incident  reports  from  pilots,  flight  attendants,  air- 
traffic  controllers,  mechanics  and  ground  personnel  who  were  either  involved 
in  or  witnessed  situations  affecting  air  travel  safety.  Incident  reports  are  filed 
voluntarily  through  the  Aviation  Safety  Reporting  System  (ASRS).  As  an  incen¬ 
tive,  the  FAA  grants  limited  immunity  to  those  who  file  reports,  waiving  fines 


and  other  penalties  for  “unintentional  violations” 
reported  through  ASRS.  Those  who  do  not  file  reports 
within  10  days  of  an  incident  will  not  enjoy  immunity 
from  the  consequences  of  ensuing  investigations. 

The  government-granted  waiver  to  provisions  of  the 
Freedom  of  Information  Act  (FOIA)— allowing  compa¬ 
nies  to  share  information  about  security  incidents  with¬ 
out  it  becoming  a  matter  of  public  record— is  a  step  in 
the  right  direction.  But  there  still  is  no  widely  trusted 
collection  point  for  information  about  security 
breaches.  The  CERT  Coordination  Center  at  Carnegie 
Mellon  University  admirably  fulfills  part,  but  not  all,  of 
that  task  because  it  lacks  any  enforcement  teeth.  With 
ASRS,  on  the  other  hand,  failure  to  disclose  the  partic¬ 
ulars  of  an  aviation  misadventure  could  ensnare  indi¬ 
viduals  in  an  FAA  inquiry,  leading  to  potentially 
unpleasant  consequences.  If,  says  Maeder,  legislation 
established  CERT  as  the  trusted  third  party  for  vulner¬ 
ability  reporting  and  specified  consequences  for  failing 
to  report,  that  would  help.  But,  he  adds,  “my  guess  is 
that  such  legislation  would  only  pass  if  cybersecurity 
truly  became  a  national  security  issue— which  it  won’t  if 
we  keep  sweeping  major  attacks  under  the  rug.” 

At  this  point,  the  rug  is  lumpy  with  important 
sweepings.  We  need  to  shed  some  light.  And  while 
we’re  at  it,  that  single  point  of  data  collection  should 
aim  to  integrate  cyber-  and  physical-security  vulnera¬ 
bilities  under  one  roof.  Then  we’ll  make  real  progress. 

-Lew  McCreary 
mccreary@cxo.com 


8  www.csoonline.com  August  2003 


PHOTO  BY  WEBB  CHAPPELL 


w- 


CCTP  would  have  made  his  life  much  easier  CCTP,  engineered  by  Anixter,  is: 


Introducing 

OCCTP 

video  surveillance  for  the  digital  age 

Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 

»CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


"Winner  of  the  "Best  New  Technology"  Award  at  the  Federal  Office  Systems  Expo  (FOSE) 


csoletters@cxo.  com 


Still  Armored  After  All  These  Years 

Editor  in  Chief  Lew  McCreary  asked  in  his 
May  editor’s  letter  whether  there  is  quantifi¬ 
able  ROI  from  spending  money  to  make 
people  feel  safe,  as  opposed  to  actually 
being  safe.  Three  months  later,  his  column 
continues  to  touch  a  nerve. 

SECURITY  MAY  NOT  BE  A  FEELING, 

but  the  emotional  aspects  do  play  a  part. 
Visible  protective  measures  like  guards  and 
gun  turrets  make  people  feel  protected 
while  more  passive  measures  like  video 
recorders  tend  to  be  more  forensic  or  reac¬ 
tive  than  preventative. 

We  all  want  to  feel  safe,  and  we  seek 
solutions  that  create  safety  where  we  per¬ 
ceive  it  does  not  exist. 

That  allows  us  to  be  misled  into  buying 
the  armored  car  or  its  infosec  equivalent. 
Many  products  fall  into  this  categoiy  and 
usually  function  as  advertised  but  do  not 
improve  day-to-day  security. 

As  security  practitioners,  our  job  is  to 
paint  a  realistic  picture  of  the  current 
security  situation.  If  the  situation  is 
uncomfortable,  we  need  to  determine 
the  level  of  desired  safety  and  develop  a 
map  that  will  lead  to  a  state  where  the 
actual  situation  is  more  in  line  with  the 
desired  one. 

Once  this  balance  is  achieved,  we  can 
feel  safe  as  long  as  we  remain  vigilant. 

JIM  D I  DOMINICUS 

CISO 

New  York  Board  of  Trade 

YOUR  EDITORIAL  IS  RIGHT  ON  TARGET 

with  the  general  population’s  view  of  secu¬ 
rity.  My  response  is  “Perception  is  reality.” 
Keep  up  the  great  job! 

STEVEN  ADLER 

Corporate  Audit  and  Advisory  Services 
Health  Net 

Security,  It  Ain’t  Pretty 

Bollards  and  barrels  and  barriers,  oh  my! 
“Hidden  Strengths,”  Senior  Editor  Daintry 

10  www.csoonline.com  August  2003 


l 


Strengths 


Duffy’s  May  feature,  asked  whether  security 
has  to  be  so  darn  ugly  to  be  effective.  How 
can  we  put  the  pretty  in  a  jersey  barrier? 

IN  MANY  CASES,  PEOPLE  NEED  Visi¬ 
ble  proof  of  security  to  feel  comfortable. 
However,  if  barriers  are  visually  jarring, 
they  may  have  a  counterproductive  effect 
by  serving  as  a  reminder  of  the  perception 
of  danger.  I  think  you  can  have  both  secu¬ 
rity  and  comfort  by  aesthetically  designing 
the  security  elements  of  a  building. 

RON  PENNINGTON 

Corporate  Security  Manager 
Xilinx 

YOUR  ARTICLE  IS  WELL-MEANING. 

But  I  have  countless  clients  screaming  for 
an  alternative  to  bollards.  Try  to  find  some¬ 
thing  that’s  crash-rated  by  the  government 
or  anybody  else.  Architects  and  security 
designers  will  use  any  alternatives  avail¬ 
able.  Where  are  they?  Give  me  something 
to  use,  that  I  can  specify,  and  I  will  use  it. 

DAVID  w.  POLENSKY 

Security  Consultant 
Kroll  Security  Services  Group 


SECURITY  SOLUTIONS  WILL  BECOME 

multifaceted.  Standoff  distances  are  a  com¬ 
ponent  of  effective  security,  as  are  access 
restrictions.  Another  increasingly  discussed 
component  is  selective  structure  strength¬ 
ening.  This  solution  uses  advanced  com¬ 
posite  material  systems,  which  maintain 
the  architectural  and  aesthetic  appeal  of 
the  element  being  strengthened.  Externally 
bonded,  carbon  fiber-reinforced  polymers 
(CFRP)  are  used  extensively  in  California 


How  to  Reach  Us 

E-MAIL 

csoletters@cxo.com 

PHONE 

508  872-0080 

FAX 

508  879-7784 

ADDRESS 

CS0  Magazine 

492  Old  Connecticut  Path,  P.0.  Box  9208 
Framingham,  MA  01701-9208 

SUBSCRIBER  SERVICES 

phone:  866  354-1125 
fax:  847  564-9453 
e-mail:  cso@omeda.com 

REPRINTS 

Reprints  are  available  by  calling  Reprint  Services 
at  651  582-3834,  or  via  e-mail  at 
csoreprints@reprintservices.com. 


about  idg  International  Data  Group  (IDG),  the  lead¬ 
ing  global  provider  of  IT  media,  research,  conferences 
and  events,  informs  more  people  about  technology  than 
any  other  company  in  the  world,  Offering  the  widest 
range  of  media  options,  IDG  reaches  more  than  120 
million  technology  buyers  in  85  countries  represent¬ 
ing  95  percent  of  worldwide  IT  spending,  IDG  publishes 
more  than  300  newspapers  and  magazines  in  85  coun¬ 
tries,  led  by  the  Computerworld,  infoworid.  Macworld. 
Network  World,  PC  World  and  CIO  global  product 
lines,  IDG  offers  online  users  the  largest  network  of 
technology-specific  sites  around  the  world  through 
IDG.net  (www.idg.net),  a  gateway  to  IDG's  330  web¬ 
sites  powered  by  more  than  2,000  journalists  reporting 
from  every  continent  in  the  world.  IDG  also  produces 
168  technology-related  conferences  and  events,  and 
research  company  IDC  provides  global  market  intelli¬ 
gence,  analysis  and  forecasts  in  43  countries, 


to  strengthen  highway  bridge  columns. 

This  system  is  unique  in  that  it  can  provide 
tremendous  strengthening  with  little  or 
no  aesthetic  loss.  The  Federal  Building  in 
Oklahoma  City  would  not  have  collapsed  if 
the  main  ground  level  columns  were  forti¬ 
fied  using  CFRP.  Once  applied  and  cured,  a 
2  to  4  millimeter  covering  of  CFRP  can  be 
finished  with  almost  any  topcoat. 

PAUL  JESTER 

VP  and  General  Manager 

Sundt  Structural  Services 

ANOTHER  CHALLENGE  THAT  PEOPLE 
overlook  is  maintaining  the  historic 
integrity  that  is  mandated  by  the  likes  of 
the  Commission  of  Fine  Arts  and  the 


m 


if? 


m 


m 


SSC.1 


With  neuSECURE™,  industry-leading  software 
from  GuardedNet,  you  can  transform  those 
mountains  of  raw  security  event  data  into  what 
you  really  need  -  knowledge  to  help  you  manage 
on’s  security  posture. 


neuSECURE:;:  threat  management  process 


Firewalls 

IDS 

1 

Routers 

Op  Systems 

Applications 

Others 

Centralize  Analyze  Investigate  Report 

Correlate  Bj|  Prioritize  Respond  Remember 

IllSSlSsSil 


neuSECURE  is  a  security  management  and 
incident  response  platform  for  log  aggregation, 
event  correlation,  threat  analysis,  threat  response 
and  forensic  investigation 
of  security  event  data 
from  firewalls,  IDS’,  hosts 
and  routers.  neuSECURE 
facilitates  real-time 
attack  detection,  investigation  and  response  and 
generates  a  wide  range  of  reporting  options  for 
operations,  management  and  audit  compliance. 


Fora  free  practitioner's  guide  by  industry  expert 
Ken  Pfeil  called  “ Best  Practices  for  Incident 
Response ”,  call  1-888-599-8297  or  visit 
www.guarded.net/csomag_  bestpractices.html. 


DNET 


Digital  Document 
Security  and  IT: 
Everything  you 
need  to  know. 

#  What  are  the  most  significant 

•  digital  copier  security  issues? 

A#  Various  copier  print  controllers 
•  are  actually  servers  that  queue 
and  permanently  store  multiple 
document  files,  providing  administrator 
access  to  the  documents.  At  a 
minimum,  most  digital  copiers  retain 
the  last  document  processed;  some 
even  retain  multiple  documents 
totaling  hundreds  of  pages.  Others 
redirect  print  jobs  when  the  printer  is 
busy  or  jammed,  making  "denial  of 
service" attacks  possible. 

How  does  Sharp  protect  the 
network  interface? 

A#  The  Sharp  Ethernet  card  allows 
•  administrators  to  restrict  access 
and  disable  unnecessary  protocols. 
With  this  network  card,  the  Sharp 
digital  copier  is  essentially  protected 
by  its  own  firewall. 

#  How  can  you  be  sure  that 
'  •  security  products  actually 
perform  as  claimed? 

A#  The  Common  Criteria  program 
•  — administered  by  the  U.S. 
National  Security  Agency  and  the 
National  Institute  of  Standards  and 
Technology — evaluates  security 
solutions.  Products  that  are  validated 
under  the  program  meet  security  levels 
consistent  with  ISO  1 5408  methodology. 

m  How  can  Sharp  improve  IT 
,  •  security? 

A#  Sharp  offers  print  privacy 
•  solutions  designed  to  restrict 
unauthorized  personnel  from  seeing 
confidential  materials.  Copier  access 
can  be  controlled  and  monitored, 
while  documents  retained  in  printer/ 
copier/scanner/fax  memory  are 
immediately  cleared  to  eliminate 
unauthorized  access. 


sharpusa.com 


be  sharp 


©2003  Sharp  Electronics  Corporation. 


csoletters@cxo.  com 


National  Capital  Planning  Commission 
that  have  final  approval  over  security 
designs  in  the  National  Capital  Region. 
When  a  collective  group  comes  to  the  real¬ 
ization  of  acceptable  risk,  cost  and  design, 
hopefully  this  challenge  of  ugly  barriers 
will  be  easier  to  deal  with. 

JASON  ROSEN 

Countermeasure  Planner 
HDR  Security  Operation 

A  Job  Is  a  Terrible  Thing  to  Waste 

A  roof  over  one’s  head,  and  a  job  to  pay  for 
that  roof.  It’s  what  we  all  desire.  Our  June 
two-part  feature,  “Bob  Moore  Knows  How  to 
Get  Hired. ..and  How  Not  to  Get  Fired,"  aimed 
to  help  you  get  that  job  and  then  hold  onto  it. 
This  reader  appreciated  the  blueprint. 

EXCELLENT  ARTICLE.  IT  HITS  ON 

many  of  the  issues  that  I  hear  almost  daily. 
Many  companies  wonder  why  their  first 
initiatives  at  establishing  an  infosec 
department  fail  to  meet  their  expectations. 

I  feel  it  is  mainly  because  there  has  not 
been  a  focus  on  the  business  side  of  the 
equation.  Security  is  not  a  “black  art”;  it  is 
a  necessary  business  function  that  requires 
the  same  management  principles  as  any 
other  corporate  department. 

I  was  also  pleased  to  read  the  comments 
on  developing  strategic  plans.  I  have  always 
been  a  firm  believer  that  all  security  depart¬ 
ments  must  prepare  a  yearly  strategic  and 
operational  plan  to  support  their  initiatives. 

It  is  an  effective  tool  to  communicate  with 
senior  managers  in  a  language  they  under¬ 
stand.  It  also  forces  the  security  practitioners 
to  tie  their  security  initiatives  to  the  business. 

GENE  FREDRIKSEN 

VP  of  Information  Security 
Raymond  James  Financial 

Do  Sound  the  Alarm 

Thornton  May  was  featured  in  our  June  issue 
under  the  heading  “Why  Security  Needs  to 
Blow  Its  Own  Horn.”  That  might  be  all  the 
introduction  he  needs.  Several  of  you  picked 
up  a  bugle. 

12  www.csoonline.com  August  2003 


GOOD  SECURITY  WILL  NEVER  BE  VOL- 

untary.  Until  the  business  recognizes 
the  need  for  a  CSO  and  supports  the 
CSO,  it  is  a  lost  cause.  People  dislike 
having  their  bags  searched  at  the  airport 
where  the  potential  exists  for  real  danger. 
What  is  the  penalty  for  having  a  Post-it 
with  your  password  on  your  monitor? 

JOSEPH  A.  PUGLISI 

CIO 

Emcor  Group 

GOOD  MESSAGE.  I  THINK  MAY  IS 

dead-on.  Whether  the  topic  is  security, 
application  development,  IT  strategy'  or 
building  cars,  the  tired  model  of  “mass 
production”  (I’m  going  to  build  it  my  way, 
and  you  have  to  accept  that  and  buy  it)  is 
quite  dead. 

Today,  customer  (or  business)  centricity 
rules.  If,  as  a  security  provider,  you  cannot 
build  your  answers  within  the  true  context 
of  the  CEO’s  question,  May  is  right  in  say¬ 
ing  that  the  CEO  does  not  have  to  buy  it, 
and  probably  won’t. 

BRUCE  BARNES 

President 
Bold  Vision 

EXCELLENT  INTERVIEW!  MAY  TELLS 

it  like  it  is.  My  experience  with  non-IT 
security  was  not  good.  They  tend  to  be 
hard-nosed  wannabe  cops  who  try  to  dic¬ 
tate  rather  than  inform  and  collaborate.  It 
is  about  time  their  cover  was  blown,  and 
May  is  just  the  man  to  do  it.  Your  interview 
was  well  designed  and  covered  the  topic  in 
fine  fashion.  Your  selection  of  Thornton 
May  was  inspired. 

DICK  HUDSON 

CIO  Emeritus 
Global  Marine 


E-mail  criticism,  thoughts  and  suggestions  to 
csoletters@cxo.com.  You  can  read  the  stories  mentioned 
in  these  letters  at  www.csoonline.com/printlinks. 


"Trends  in  Proprietary  Information  Loss  Survey  (ASIS  2002).  ©2003  Sharp  Electronics  Corporation 


P^/c/ 


****/* 


How  secure  is 

Protect  your  information  with  the  Data  Security 
Kit  from  Sharp.  Financial  facts,  personnel  records, 
customer  lists:  networked  copiers/printers  process 
sensitive  information  every  day.  Unfortunately,  their 
hard  drives  can  also  be  accessed  via  the  network, 
contributing  to  $60  billion  worth  of  information 
theft  every  year.*  To  protect  this  weak  link  in  your 


Common  Criteria 


your  digital  information? 


corporate  security,  we've  created  our  Data  Security 
Kit.  It's  the  first  copier  and  printer  protection  to 
be  validated  by  Common  Criteria,  a  government- 
sponsored  program,  and  it's  available  only  with 
our  Digital  IMAGER™  series  of  copiers/printers. 
Sharp's  Data  Security  Kit.  Enhanced  information 
protection  at  your  fingertips,  sharpusa.com/security 


be  sharp™ 


IT  Training  & 
Certification 


'  I  J  »  mm 


m  1  ’ '  S  §  i 

I 


Mitnick's  Social  Engineering  In  2  Days 
Wireless  Network  Security  In  4  Days 
Web  Application  Hacking  In  3  Days 
Professional  Hacking  In  5  days 


j  *  ■■ 

mm  m  i  r^-v^ 


Computer  Forensics  In 


,4h 


CompTIA  Security+  In  5  Days 
MCSE  Security  In  14  Days 


Virtual  CISSP®  In  3 


Check  Point  In  6 


CCSP®  In  12 


Days 
CISSP®  In  7  Days 


Microsoft 

CERTIFIED 


Locations  'm:  Ft,  Lauderdale.  FL  |  New  York  Metro  |  Columbus,  OH  |  San  Diegoj CA1* Washington, iPc  Metro 

8211  W.  BROWARD  BLVD  FORT  LAUDERDALE,  FL  33324  Ph.866-300-2119  -  I NTENSE  SCHOOL  -  W w w. intenseschool.com 


Has  your  company 
made  any  special 
preparations  for  a 
potential  bioterrorist 
attack? 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


Hold  the  Bioterrorism 

REGULATIONS  Though  you’ll  probably  never 
know  what's  actually  in  your  Happy  Meal,  it’d  be  nice  to 
rule  out  anthrax.  Concerns  over  bioterrorism  affecting  the 
food  supply  have  led  the  U.S.  Food  and  Drug  Administra¬ 
tion  to  solicit  help  from  companies  to  develop  a  new  sys¬ 
tem  to  track  and  model  the  flow  of  food. 

The  FDA  has  made  a  request  for  information  in 
response  to  language  in  the  Public  Health  Security  and 
Bioterrorism  Preparedness  and  Response  Act  of  2002.  The 
act  charged  the  FDA  with  improving  its  information  man¬ 
agement  systems  so  that  it  could  better  detect  and 
respond  to  intentional  food  tampering. 

The  act  describes  two  possible  systems:  one  to  track 
food  shipments,  and  one  to  model  the  flow  and  consump¬ 
tion  of  food,  according  to  Morris  Potter  of  the  FDA's  Center 
for  Food  Safety  and  Applied  Nutrition.  The  food-tracking 
system  would  work  with  proposed  regulations  from  the 
FDA  requiring  food  companies  to  standardize  recordkeep¬ 
ing.  That  would  relieve  FDA  investigators  of  having  to 
comb  through  invoices  to  track  contaminated  food  back  to 
its  source.  With  standardized  records  maintained  in  a 
system  under  FDA  governance, 
regulators  could  quickly  recon¬ 
struct  the  food  path.  The  new 
food-modeling  system  proposed 
in  the  FDA’s  request  for  infor¬ 
mation  would  help  the  agency 
determine  the  cause  of  out¬ 
breaks  and  their  effects. 

“That  data  could  then  help 
the  FDA  model  its  response  to 
outbreaks  in  different  popula¬ 
tions,  putting  the  right  number 
of  inspectors  in  the  right 
places,"  Potter  says. 

The  food  industry  has  already 
voiced  opposition  to  the  FDA’s 
proposed  reporting  rule  changes, 
citing  the  cost  of  implementing 
the  new  reporting  requirements, 
and  the  private  sector  has 
voiced  concerns  about  the  FDA 
owning  their  customer  informa¬ 
tion  as  part  of  the  food-tracking 
system.  -Paul  Roberts 


Will  Hunt  Al-Qaida  for  Food 


COMPENSATION  Federal  agents 
associate  with  mobsters,  live  among 
drug  traffickers  and  are  tasked  with 
dismantling  terrorist  cells.  But  while 
9/11  raised  the  stakes  for  FBI 
agents,  it  didn’t  do  anything  to 
raise  their  pay. 

Compensation  for  agents  is  set 
by  Congress  on  a  pay  scale  that 
typically  lags  behind  the  private 
sector.  This  pay  discrepancy 
makes  it  particularly  chal¬ 
lenging  for  govern¬ 
ment  agencies 


The  government  has  warned  of  a  pos¬ 
sible  bioterrorist  attack,  but  most  of 
you  haven't  heeded  the  warnings. 
Read  Senior  Writer  Sarah  D.  Scalet's 
story,  “Immune  Systems,”  on  Page 
42,  to  learn  what  health  officials  are 
doing  to  detect  early  warning  signs  of 
bioterrorism. 


to  attract  professionals 
from  fields  such  as 
computer  science  and 
languages,  says  Michi¬ 
gan  Rep.  and  former 
FBI  Special  Agent 
Mike  Rogers.  The 
modest  government 
salaries  also  make  life 
tough  for  agents  sta¬ 
tioned  in  expensive 
housing  markets  such 
as  Boston,  Chicago, 
New  York  City  and 
San  Francisco,  says 
FBI  spokesman  Paul 
Bresson.  All  agents  in 
the  FBI  start  at  a  base 
salary  of  $44,000  with 
guaranteed  overtime 


of  about  $25,000  per  year.  According 
to  current  salary  rules,  Chicago  employ¬ 
ees  would  make  an  extra  4  per¬ 
cent  over  folks  working  in, 
say,  Des  Moines,  Iowa. 

However,  the 
cost  of  living  is 
30  percent  higher 
in  Chicago. 

But  a  new  bill  spon¬ 
sored  by  Rogers  could  help. 
The  Federal  Law  Enforce¬ 
ment  Pay  Equity  and  Reform 
Act  of  2003  (HR  1676)  will, 
among  other  things,  remove  a  cap 
on  overtime  compensation  and 
raise  the  pay  of  agents  in  high 
cost-of-living  areas.  In  addition, 
the  law  would  create  a  separate 
pay  and  promotion  system  for  federal 
law  enforcement  agents,  whose  salaries 
have  been  lumped  in  with  other  federal 
employees.  The  system  will  also  be 
designed  to  increase  the  government’s 
retention  of  talented  agents  with  valu¬ 
able  skill  sets.  Currently,  such  employ¬ 
ees  are  easily  lured  away  to  lucrative 
jobs  as  security  consultants  in  the  pri¬ 
vate  sector,  says  Rogers.  “You’ve  got  a 
guy  who  specializes  in  computers  wrho 
spends  five  years  with  the  FBI  studying 
computer  forensics.  Do  you  knowr  howr 
much  that  guy  is  worth  in  the  private 
sector?  Companies  are  going  to  pay 
huge  money  for  that  type  of  experience, 
and  the  government  can’t  compete  with 
that.  You’ve  got  to  get  compensation  to 
a  level  where  public  service  makes 
sense,”  he  says.  -Paul  Roberts 


August  2003 


www.csoonline.com 


ILLUSTRATIONS  BY  DAN  YACCARINO 


Award-Winning  Stupidity 

PRIVACY  Anyone  who  has  watched  Most  Inexplicably  Stupid  Award 


his  grandmother’s  flowered  satchel  sub¬ 
jected  to  intense  scrutiny  at  the  airport 
knows  that  security  regulations  are 
sometimes  implemented  in  absurd 
ways.  Recognizing  these  regulations  as 
an  area  for  ridicule,  Privacy  Interna¬ 
tional  rolled  out  its  2003  Stupid  Secu¬ 
rity  Contest.  The  U.K.-based  privacy 
rights  group  received  almost  5,000 
nominations  from  35  countries  for  the 
most  “pointless,  intrusive  and  stupid 
security  measures.” 

Here  are  some  of  the  honorees. 

Most  Flagrantly  Intrusive  Award 

Winner:  Delta  Air  Lines  terminal  at 
JFK  Airport  in  New  York  City, 

where  security  personnel  forced  a  nurs¬ 
ing  mother  to  drink  three  bottles  of  her 
own  breast  milk  to  prove  they  did  not 
contain  explosives. 

Most  Egregiously  Stupid  Award 
Winner:  The  Australian  govern¬ 
ment  for  setting  up  a  toll-free  number 
for  citizens  to  report  suspicious  activity 
without  defining  what  such  activity 
might  look  like. 


DEPARTMENT  OF  BIO, 


Winner:  Philadelphia  International 
Airport  for  instituting  a  hazmat  alert 
after  a  Saudi  college  student  sprayed 
cologne  on  himself  at  a  security  check¬ 
point  to  demonstrate  the  contents  of  a 
bottle.  A  doughnut  shop  and  a  drugstore 
in  Philadelphia  were  later  quarantined 
by  authorities  after  they  were  visited  by 
two  police  officers  who  had  been  in  con¬ 
tact  with  the  cologne. 


For  more  on  privacy,  read  “Privacy’s 
New  Image,”  Page  50. 

-Daintry  Duffy 


,  ^  I 


SCARY  NUMBERS 


Identity  theft  will  cost  the 
world  $221  billion  this  year. 

The  current  trajectory 
wouldpush  the  cost  of 
identity  theft  to  $2  trillion 
by  the  end  of 2005. 

SOURCE:  ABERDEEN  GROUP 


A  Secure  Step 
in  the  Right 
Direction 

GOVERNMENT  REFORM 

We’re  not  out  of  the  woods  yet,  but 
we’re  finally  using  the  bread  crumbs 
as  a  trail.  After  years  of  disparaging 
reports  on  the  state  of  IT  security  in 
various  federal  agencies,  there’s 
finally  some  good  news.  The  White 
House  Office  of  Management  and 
Budget  released  its  “FY  2002  Report 
to  Congress  on  Federal  Government 
Information  Security  Reform"  in  May. 
The  report  found  that  federal  agen¬ 
cies  have  made  noticeable  progress 
on  a  number  of  governmentwide  IT 
security  problems. 

In  2002,  senior  management  gave 
more  attention  to  IT  security  within 
federal  agencies,  and  the  federal 
government  did  a  better  job  of 
detecting,  reporting  and  sharing 
information  about  vulnerabilities.  IT 
security  awareness  and  education 
among  federal  employees  also 
showed  improvement  from  2001. 

In  addition,  the  0MB  found  an 
increase  in  the  percentage  of  federal 
government  computer  systems  that 
have  been  assessed  for  security  risk 
and  that  have  up-to-date  IT  security 
plans.  It  also  saw  evidence  of  better 
bureau  oversight  and  better  coopera¬ 
tion  between  CIOs,  inspectors  gen¬ 
eral  and  senior  agency  officials. 

Despite  the  encouraging  trend,  the 
federal  government  has  much  work 
left  on  the  IT  security  front,  accord¬ 
ing  to  the  report.  Many  federal  agen¬ 
cies  continue  to  suffer  from  lingering 
problems,  such  as  an  absence  of 
system-level  security  plans.  In  addi¬ 
tion,  federal  agencies  are  failing  to 
fulfill  the  requirement  to  review  their 
IT  systems  and  programs  each  year 
and  to  prioritize  their  IT  purchasing. 
While  the  gaps  in  the  federal  govern¬ 
ment’s  IT  security  are  closing,  some 
holes  remain.  -Paul  Roberts 


16  www.csoonlme.com  August  2003 


CSO  Advertising  Supplement 


R 


mmmm 

"■WliVml 

■  Security  Perspectives  from  Unisys 


ECTIONS 


Summer  2003 


HOT  TOPIC 


Painting  a  ROSI  Picture 

Shahriar  Beigi  on  Security  ROI:  Why  it's  important, 
and  how  it  will  affect  you 

>  Can  you  really  put  a  price  on  security?  Secure  Connections  spoke  with 
Shahriar  Beigi,  from  the  Information  Security  Center  of  Excellence  at  Unisys 
Corporation,  based  in  McLean,  Va.,  to  get  his  perspective  on  security  ROI. 

Where  did  the  trend  toward  security  ROI  originate? 

In  the  mid  to  late  ’90s,  security  spending  was,  for  the  most  part,  driven  by 
competitive  market  forces,  a  must-have  to  remain  at  the  cutting  edge  of  the  new 
technology.  Nobody  thought  much  about  any  return  on  security  investment  or 
whether  security  spending  should  be  measured  by  some  form  of  ROI  metric.  But 
as  spending  grew,  a  red  flag  was  raised,  and  this  was  exacer-  continued  on  page  2 


Welcome  to  Secure  Connections:  Security 
Perspectives  from  Unisys.  This  is  the  first  of  a  series 
of  bulletins  aimed  at  creating  a  new  dialogue  on 
today's  hottest  security  topics.  If  you  have  any 
thoughts  on  the  ideas  presented  in  this  issue — or  on 
topics  that  should  be  covered  in  future  issues — please 
send  an  email  to  ZeroGapPlanning@unisys.com. 


Security  Strategies: 
A  New  Survey 

Parti:  Building  End-User 
Awareness 

First  in  a  series  of  reports  on  results  from  the  new 
Unisys  Security  Landscape  Study. 

>  When  it  comes  to  information  security,  IT  and 
business  executives  are  at  cross-purposes.  On  the 
one  hand,  they  share  the  responsibility  to  create  a 
secure  informational  infrastructure  that  will  safe¬ 
guard  valuable  corporate  data.  But  on  the  other, 
there’s  the  equally  strong  mandate  to  support  the 
overwhelming  need  to  do  business  faster  and  more 
easily.  Faced  with  these  diametrically  opposed 
charters,  leaders  struggle  constantly  for  balance. 

According  to  a  series  of  interviews  Unisys  con¬ 
ducted  with  CIOs  and  CSOs,  IT  and  business  exec¬ 
utives  wrestle  with  several  top  security  risk  areas. 
Over  the  next  several  issues  of  Secure  Connections, 
we’ll  share  insights  on  each  of  these  hot-button 
issues,  beginning  with: 

Building  User  Awareness  of  Security 

CIOs  and  CSOs  agree  that  end-user  awareness — 
and  accountability — makes  up  the  cornerstone  of 
their  organization’s  security  strategy,  and  many 
security  leaders  have  focused  on  this  issue  over  the 
past  two  years.  But  the  results  are  mixed.  While  57 
percent  say  that  executive  support  has  improved, 
end-user  awareness  of  the  security  implications  of 
their  actions  remains  very  low.  Part  of  this  problem 
is  that  many  CSOs  cannot  get  other  C-level  execu¬ 
tives  to  buy  into  tough  security  decisions,  and 
enforce  or  sponsor  security  implementations  within 
their  business  units.  That  said,  respondents  shared 
the  following  best  practices  to  help  build  a  success¬ 
ful  policy  awareness  and  enforcement  program: 

■  Employ  educational  tools,  such  as  webinars 
for  both  employees  and  continued  on  page  2 


UNISYS 

Imagine  it.  Done. 


CSO  Advertising  Supplement 


Customer  Focus: 
SERVING— AND 
SECURING— THE 
ROAD  WARRIORS 

In  this  day  of  the  road  war¬ 
rior,  it's  not  enough  for  hotels 
to  offer  an  extra  phone  jack 
as  a  business  amenity. 

Now,  as  a  matter  of 
course,  smart  hoteliers  offer 
broadband  or  wireless 
Internet  access.  And  with 
that  innovation  comes  a 
host  of  security  issues. 

To  help  prevent  security 
breaches  from  occurring  at 
its  properties,  one  major 
international  hotel  and 
resort  chain  sought  help 
from  Unisys  and  its  Zero- 
Gap  Security  Planning 
approach,  which  protects 
the  properties  with  a  multi¬ 
level  security  program 
designed  to  prevent  attacks 
on  three  levels: 

■  coming  into  the  network 
from  the  Internet; 

■  going  out  to  the  Internet 
from  the  hotel;  or 

■  crossing  the  network 
from  guest  to  guest. 

With  these  new,  secure 
measures  in  place,  it's  safe 
to  say  that  the  hotel's 
guests — and  managers — all 
are  sleeping  more  securely. 


ROSI  continued  from  pagei 

bated  by  the  nuclear  winter  of  technology  spending 
that  has  reigned  for  the  past  few  years.  Today,  the 
stakes  are  higher.  Information  is  now  largely  man¬ 
aged  through  electronic  means  and  the  Internet — 
which  has  brought  about  more  cyber  vulnerabilities, 
more  risk  to  mitigate  and  a  complex  set  of  legal 
requirements.  So  people  have  begun  talking  about 
the  importance  of  ROI  for  security,  which  is  general¬ 
ly  known  as  return  on  security  investment,  or  ROSI. 

How  has  it  been  received? 

As  a  concept,  ROSI  is  still  under  major  debate. 
In  the  basic  business  sense,  ROI  needs  to  be  meas¬ 
urable  in  terms  of  revenue  growth  or  decrease  in 
expenses.  With  security  spending,  however,  organi¬ 
zations  look  to  identify  risk — which  brings  risk 
analysis  to  the  core  of  this  discussion — or  simply  to 
meet  regulatory  obligations.  If  risk  mitigation  is 
what  you  expect  from  your  security  spending,  you 
need  to  be  able  to  identify  and  measure  risk  in  the 
first  place.  The  thinking  is  simply  that  if  you  cant 
measure  ROSI,  you  can’t  really  argue  ROI  with 
your  senior  management.  And  right  now,  there’s  no 
standard  quantitative  method  of  measuring  ROSI. 
But  if  your  security  spending  is  to  bring  you  into 
compliance  with  legal  requirements  for  which  you 
might  be  personally  liable,  your  highest  return  on 
investment  might  simply  be  keeping  your  license  to 
operate.  There  might  be  a  measurable  benefit  on 
the  risk  you  can  identify  and  mitigate,  but  having 
dinner  with  your  family  is  priceless! 

Are  there  any  tangible  measurement  methodologies? 

The  real  debate  comes  down  to  how  risk  analy¬ 
sis  is  conducted.  There  are  quantitative  methodolo¬ 
gies,  which  are  very  subjective.  Qualitative  methods 
on  the  other  hand — conducting  high-level  assess¬ 
ments  across  business  functions  to  offer  a  general 
security  rating  of  low,  medium  or  high — don’t  ten¬ 
der  enough  information  for  CSOs  and  CIOs  to 
make  sound  business  decisions.  I  favor  a  hybrid 
model,  in  which  a  company  starts  with  a  qualitative 
analysis  and  then  layers  a  quantitative  model  over 
that.  Starting  off  with  a  qualitative  approach  would 
provide  initial  information  to  make  the  quantita¬ 
tive  approach  less  skewed  and  more  objective. 

Where  do  you  see  ROSI  going  in  the  future? 


Interestingly,  ROSI  could  lead  indirectly  to  the 
metamorphosis  of  the  CSO’s  job.  What  better  way 
for  CSOs  to  make  security  an  integral  part  of  their 


'The  real  debate  comes 
down  to  how  risk  analysis 
is  conducted." 


business  operations  than  providing  a  measurable 
return  on  the  original  investments?  ■ 

What  are  your  thoughts  on  ROSI?  Send  them  to 
Secure  Connections  at  ZeroGapPlanning@ 
unisys.com 


STRATEGIES  continued  from  page  1 
customer  and  suppliers,  as  well  as  credits  for 
attending  security  seminars,  to  help  push  security 
to  the  forefront  in  the  user  mind-set. 

■  Create  corporate  accountability  within 
departments,  either  by  making  security  adherence 
part  of  a  performance  review  or  by  leading  security 
audits  and  mapping  them  against  the  business 
unit’s  own  assessment  of  the  situation. 

■  Bring  it  to  the  board  with  quarterly  reports 
on  security  accomplishments  and  risk  areas, 
couched  in  terms  of  business  risk  and  payoff. 

Bottom  line:  It’s  not  easy,  and  it  will  take  time, 
but  security  can  evolve  from  a  necessary  evil  to  an 
essential  business  enabler,  even  in  the  minds  of 
end-users.  ■ 

Next  issue:  Creating  a  balance  between  securing 
and  enabling  a  business. 


For  more  information,  please  visit  our  website  @ 
www.unisys.com/security  or  call  800-874-8647, 
x785  (outside  the  US  +1  585-742-6865,  x785) 

Specifications  are  subject  to  change  without  notice. 

©  2003  Unisys  Corporation 

All  rights  reserved. 

Unisys  is  a  registered  trademark,  and  Zero-Gap  Security  Planning  is 
a  registered  service  mark,  of  Unisys  Corporation.  All  other  brands 
and  products  registered  herein  are  acknowledged  to  be  trademarks 
or  registered  trademarks  of  their  respective  holders. 

Printed  in  US  America  7/2003 


CONTACT  US  > 
ZeroGapPlanning@unisys.com 


2  SECURE  CONNECTIONS 


Membership  in  CIO  Select  is  reserved  for  CIOs 


of  midsize  to  large  organizations 


“The  Select  Member  CIO 
you  put  me  in  touch  with 
was  knowledgeable, 
forthcoming  and  extremely 
helpful.  His  shop  and 
ours  have  much  in  common. 
The  call  was  excellent!” 

-CIO  of  a  $7  billion 
insurance  company 


‘I  am  getting  tremendous 
value  out  of  the  board-level 
presentations  I  have  down¬ 
loaded  from  Select.” 

-CIO  of  a  $3  billion 
manufacturer 


BENEFIT  FROM  THE  EXPERIENCE  OF  YOUR 
PEERS -JOIN  CIO  SELECT. 


CIO  Select  is  an  exclusive 
networking  program  that 
helps  CIOs  share  ideas, 
documents  and  advice. 


ClOSelect 


For  Information  and  Membership  Pricing: 

Contact  Martha  Heller.  Director,  CIO  Select 
at  508.988.6738  or  mheller@cio.com  or 


AN  EXCLUSIVE  PEER  SERVICE  FOR  CIOs  via  www.cio.com/community/select.html. 


The  Resource  for 
Information  Executives 


Not  Secure  on 
Any  Front 

CYBERSECURITY  Fear  the  dis¬ 
gruntled  employee.  This  has  long 
been  the  mantra  of  security  execu¬ 
tives  who  believed  that  an  employee 
who  went  off  the  deep  end  was  more 
likely  than  an  external  source  to 
launch  a  network  attack.  But  a  recent 
survey  by  Deloitte  &  Touche  sug¬ 
gests  that  CSOs  should  evenly  bal¬ 
ance  their  defenses  against  both 
external  and  internal  threats. 


Only  39  percent  of  survey 
respondents  said  they  were 
victims  of  a  cyberattack 

were  attacked  from 
an  external  source 

were  attacked  from 
an  internal  source 

were  attacked  from 
both  internal  and 
external  sources 

reported  that  they 
were  not  attacked 

SOURCE:  DELOITTE  &  TOUCHE  "2003  GLOBAL  SECURITY 
SURVEY" 


You  Hide  It  Well 


PASSWORDS  Every  CSO  dreams  of  the 
perfect  password.  One  that  is  uncrackable, 
yet  easy  for  users  to  remember.  Although 
password  perfection  is  still  the  stuff  of  fan¬ 
tasy,  there  is  a  formula  you  can  use  to  create 
passwords  that  are  both  hard  to  decode  and 
easy  on  the  memory.  All  you  have  to  do  is 
encourage  your  employees  to  get  creative. 

When  it  comes  to  password  integrity,  the 
key  is  to  obfuscate  words  as  much  as  possi¬ 
ble,  says  Samir  Kapuria,  director  of  strategic 
solutions  at  digital  security  consul¬ 
tancy  @Stake.  Mix  the 
words  up  as  much  as 
possible  by  using  both 
upper-  and  lowercase 
letters,  numbers,  sym¬ 
bols  and  punctuation. 

There’s  no  ideal  combina¬ 
tion  of  letters,  numbers 
or  symbols,  Kapuria 
says,  but  try  to  make 
passwords  six  to  eight  characters  long.  The 
goal  is  to  make  each  password  as  difficult 
for  hackers  to  decipher  as  possible.  For 
example,  you  can  use  0  in  place  of  an  O,  @ 
in  place  of  an  A,  or  3  in  place  of  an  E.  Each 
layer  of  difficulty  that  you  add  to  the  pass¬ 
word  will  increase  the  time  it  takes  for  a 
hacker  to  crack  it.  It  can  take  hackers  up  to 
30  days  to  decrypt  some  passwords.  If  you 
require  employees  to  change  their  pass¬ 


words  once  a  month,  you  have  a  good  shot 
at  staying  just  ahead  of  the  game. 

Kapuria  warns  that  CSOs  should  guide 
employees  away  from  the  dictionary  to 
select  passwords.  Hackers  know  that  users 
tend  to  choose  intuitive  passwords  based  on 
whole  words  that  can  be  found  in  a  diction¬ 
ary,  and  so  they’ve  developed  sophisticated 
tools  to  decrypt 
dictionary-based 
words  quickly. 

But  fear  not— you 
don’t  have  to 
resort  to  foreign  lan¬ 
guages  or  gibberish  to  keep 
your  passwords  intact. 

Just  avoid  using  any  word 
that  looks  like  it  makes 
sense,  Kapuria  says.  Instead 
of  using  a  movie  title  as  your 
password,  for  instance,  use  the 
first  letter  of  each  word  in  the  title.  To 
make  the  password  six  to  eight  characters 
long,  insert  dollar  signs  or  other  symbols 
instead  of  putting  a  space  between  letters. 
While  it  may  not  be  100  percent  hack-proof, 
it  won’t  make  sense  to  anyone  but  the  end 
user.  The  employee  stands  a  good  chance  at 
remembering  her  password,  but  it  will  take 
a  hacker  days  to  figure  out.  And  a  few  days 
head  start  on  a  hacker  never  hurt  anybody. 

-Simone  Kaplan 


As  for  the  61  percent  of  survey 
respondents  who  say  they  haven’t 
been  attacked,  Christian  Byrnes, 

Meta  Group  analyst,  says,  “they  just 
don't  know  it  yet.  One  of  the  primary 
functions  of  security  tools  is  to  detect 
security  failures.  It  can  be  very  com¬ 
forting  for  a  manager,  especially  a 
CIO,  to  simply  not  see  what  is  there 
by  deciding  not  to  invest  in  the  nec¬ 
essary  tools  that  detect  security  fail¬ 
ures.  No  investment  equals  no 
detection,  which  equals  no  admission 
of  failure.” 

-Kathleen  Carr 


Is  Spam  Cooked? 

LEGISLATION  Sen.  Debra  Bowen  (D-Calif.)  recently  sponsored  a  bill  that 
would  require  companies  that  want  to  send  e-mail  ads  to  obtain  the  recipient’s  per¬ 
mission  in  advance  if  they  don’t  already  have  a  business  relationship.  Under  the  bill, 
any  Californian  who  receives  spam  can  sue  the  sender  and  the  advertiser  for  $500 
per  spam  message.  Judges  have  the  authority  to  triple  the  fine  if  they  find  that  the 
sender  willfully  violated  the  ban.  The  bill  also  requires  the  court  to  impose  an  addi¬ 
tional  $250  fee  per  spam  judgement  to  help  fund  high-tech  crime  task  forces 
throughout  the  state. 

At  press  time,  the  bill  was  killed  by  a  5-2  vote  in  committee.  But  the  move  to 
limit  spam  is  far  from  dead.  We’d  like  to  hear  your  thoughts.  Do  you  think  sending 
spam  should  be  a  felony  offense?  Vote  online  at  www.csoonline.com  to  register  your 
opinion.  We’ll  publish  the  results  in  the  September  issue.  -Simone  Kaplan 


18  www.csoonline.com  August  2003 


/  Can  you  find 

f  p\/pr\/  rnn i  ip  Hp\/irp 


We  can. 


Take  control  of  your  network  perimeter 
using  FreeMap,  a  new  free  service  from  Qualys. 
Register  now  at  freemap.qualys.com. 


Qualys  FreeMap  is  a  web-based  service  that  lets  you  discover  devices,  identify  their  operating 
systems  and  create  a  visual  topology  of  your  entire  network. There's  no  software  to  install  or 
maintain,  making  it  easy  to  identify  and  monitor  all  your  network  entry  points,  including  routers, 
VPN  servers  and  wireless  access  points.  Qualys  FreeMap  also  enables  you  to  query  DNS  records 
so  you  can  identify  obsolete  or  rogue  devices. 

Take  advantage  of  this  valuable  service  before  someone  takes  advantage  of  your  network. 


For  product  information,  call  toll-free  1-800-745-4355.©  2003  Qualys,  Inc.  All  Rights  Reserved. 


Rep.  Mac  Thornberry  takes  on  cyberspace,  and  the 
House  Select  Committee  on  Homeland  Security. 

It’s  in  Committee 

Q&A  Rep.  Mac  Thornberry  (R-Texas)  has  a 
new  position. ..and  it’s  not  an  enviable  one. 

He  is  the  new  leader  of  the  House  Subcom¬ 
mittee  on  Cybersecurity,  Science,  Research 
and  Development.  Now  take  a  deep  breath, 
we’re  about  to  explain.  Thornberry  is 
responsible  for  helping  the  Department  of 
Homeland  Security  vet  new  technologies  to 
secure  cyberspace.  His  subcommittee  is 
part  of  the  House  Select  Committee  on 
Homeland  Security,  which  was  created  in 
January  2003  to  oversee  the  new  Depart¬ 
ment  of  Homeland  Security.  And  you  thought 


bureaucracy  in  Washington  was  dead! 

CSO  spoke  to  Thornberry  recently  about 
the  challenges  facing  him  in  his  new  role. 

CSO:  How  did  you  get  involved  with  the  issue 
of  cybersecurity? 

Rep.  Mac  Thornberry:  One  of  the  issues  I’ve 
tried  to  focus  on  most  in  Congress  is  long¬ 
term  national  security.  That’s  what  led  me  to 
homeland  security.  I  introduced  a  bill  [HR 
1158]  in  March  2003  to  create  a  separate 
committee  on  Homeland  Security  to  oversee 
the  new  Department  of  Homeland  Security. 
It’s  easy  to  see  the  physical  challenges  to 
homeland  security,  but  the  cyber  aspect  is 
real  and  important  too. 

What  are  some  of  the  issues  facing  the 
cybersecurity  subcommittee  this  session? 

There  are  two  main  issues.  First,  there’s  the 
science  and  technology  piece.  Our  challenge 
is  to  help  the  Homeland  Security  Depart¬ 
ment  identify  new  technologies.  We  also 
need  to  set  research  priorities,  get  a  few 
technologies  field-tested,  and  identify  new 
detectors  and  sensors  for  security.  On  the 
cyber  side,  we  need  to  put  more  congres¬ 
sional  emphasis  on  covering  cybersecurity 
as  a  homeland  security  issue. 

Cybersecurity  issues  are  harder  for  people 
to  visualize  than  physical  security  problems. 
Does  that  make  it  more  challenging  to  bring 
attention  to  cybersecurity  issues? 

Yes.  If  a  bomb  goes  off,  you  see  the  destruc¬ 
tion;  there  are  deaths.  If  a  cyberbomb  goes 
off,  it’s  not  as  easy  to  see  the  effects.  I  think 


appreciation  for  our  dependence  on  systems 
is  growing.  Everybody  pays  for  gas  at  the 
pump,  uses  an  ATM,  does  Internet  banking. 
Part  of  what  we  want  to  do  as  a  subcommit¬ 
tee  is  talk  about  some  of  the  control  systems: 
power  plants,  the  dependence  of  telecom,  the 
water  treatment  plants,  and  energy  and 
chemical  plants.  They  are  all  related  and 
dependent  on  cybertechnologies. 

I  understand  that  one  of  your  goals  is  to  fos¬ 
ter  cooperation  between  the  private  sector 
and  the  government  in  the  area  of  cyber¬ 
security.  How  will  you  approach  this  task? 

The  first  issue  is  to  have  everybody  under¬ 
stand  that  we  will  not  be  successful  without 
this  partnership.  With  80  percent  of  the  criti¬ 
cal  infrastructure  in  private  hands,  the  gov¬ 
ernment  cannot  solve  the  problem  alone. 

I  think  we  can  help  build  trust.  The  first  big 
fight  for  the  Department  of  Homeland  Secu¬ 
rity  was  dealing  with  the  FOIA  exception.  If 
companies  want  to  share  information,  will 
they  face  lawsuits?  That  issue  was  pretty 
well  decided,  but  we'll  have  to  keep  an  eye 
on  it.  We’ll  be  looking  for  other  confidence¬ 
building  measures.  Government  needs  to 
listen  as  much  as  it  talks. 

How  can  CSOs  get  involved  or  make  their 
voices  heard  before  your  committee? 

We’re  lining  up  a  series  of  hearings  right  now, 
and  we  want  to  have  a  mechanism  in  place 
so  that  people  who  are  not  able  to  come  tes¬ 
tify  can  share  their  ideas.  Perhaps  some¬ 
thing  through  the  website.  We’re  not  there 
yet,  but  hopefully  it  won’t  be  too  long.  ■ 


.  Terronsip  is  someone  oiowing  , 

himjselj  up  in  a  crowded  restaurant.  It  s 
not  infecting  computers  with  viruses  or 
forcing  air  tramc  controllers  to  route 
planes  piajiually.  That  copses  annoyance 

QTlH  1  VpIlATl  Oil  Y"^/r"Y|  rPTTVlT*  -COUNTERPANE  INTERNET  SECURITY  FOUND 
AAAAvA.  AA  A  A  LCvvlv/l  A^  AAv^/L/  IA_/A  A  vAA*  AND  CTO  BRUCE  schneier’s  thoughts  on 


-COUNTERPANE  INTERNET  SECURITY  FOUNDER 


AND  CTO  BRUCE  SCHNEIER’S  THOUGHTS  ON 
CYBERTERRORISM 


www.csoonline.com  August  2003 


PHOTO  BY  AP 


Tivoli  software 


See  it  fixed  before  it’s  broken.  *> 

' j 

See  the  problem  before  it  occurs.  ^ 
See  IT  and  business  goals  as  one\  / 


Tivoli  Intelligent  Management  software.  It’s  here  now:  software  that  self-confi 
self-optimizes  and  self-protects.  On  demand.  With  Tivoli,  on  demand  business 

-•  •  -  -  -  .  -v.  V  x  '■/"/  ■  •  X .  \ •  •  .  .  .  •  ’  •  ...  -  • 

than  ever.  You’ll  spend  less  time  worrying  about  mundane  tasks  and  more  time  on 
like  business  results.  For  a  customized  analysis  of  how  Tivoli  can  help  you,  visit  i 


IBM,  Tivoli,  the  e-business  logo  and  e-business  on  demand  are  registered  trademarks  or  trademarks  of  International  Business  Machines  Corporatiprvji 
jnd|mth|r  countries.  V2003  IBM  Corporation.  All  rights  reserved.  riv.vvX 


The  Who,  What  and  Why  of  Washington 

Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 


Carry  On 

The  TSA  cut  its  staff  for  several  reasons:  Its  budget  was  slashed,  it 
overhired— and  some  of  those  hires  were  convicted  felons  By  Julie  Hanson 


HE  TRANSPORTATION  SECURITY 
Agency,  a  federal  agency  developed  after  9/H 
and  charged  with  protecting  the  traveling  pub¬ 
lic  by  air,  land  and  sea,  will  eliminate  6,000 
airport  screener  positions— more  than  10  per¬ 
cent  of  its  workforce— by  the  end  of  this  year. 

During  the  summer  months,  the  TSA  will 
need  to  do  more  with  less. 

Much  less.  If  the  president’s 
proposed  2004  budget  passes, 
the  TSA  is  facing  a  whopping 
$1  billion  budget  cut.  In  2001, 
when  the  airline  screener  hir¬ 
ing  process  began,  Congress 
capped  the  staff  at  45,000. 

However,  the  TSA  exceeded 
this  number,  hiring  55,600 
screeners,  10,000  of  whom 
were  hired  under  the  guise  of 
“temporary  contracts.”  TSA 
spokeswoman  Ann  Davis  says 
these  10,000  employees  were 
hired  when  the  White  House 
federalized  airports,  devel¬ 
oped  the  TSA  and  demanded 
increased  security. 

The  cuts  have  left  some  wondering  how  the 
agency  can  continue  to  secure  U.S.  airports  and 
travelers  while  juggling  port  security  and 
screening  cargo  and  passenger  ships  as  they 
enter  the  country’s  361  major  ports. 

In  response  to  airport  safety  concerns,  Davis 
insists  that  passenger  safety  will  not  be  com¬ 
promised.  While  it’s  true  that  these  cuts  'will 
mean  fewer  checkpoints,  she  says  the  same 
number  of  screeners  will  be  at  each  point.  Davis 
also  notes  that  current  screeners  have  had  more 
intensive  security  training  than  their  predeces¬ 
sors,  who  were  employed  by  private  screening 
companies.  Now  that  the  TSA  is  in  charge, 
training  is  consistent  airport  to  airport. 

But  not  everyone  shares  Davis’s  confidence. 


In  a  May  7  airport  security  report  by  the  Amer¬ 
ican  Association  of  Airport  Executives,  the 
group  noted  that  “the  cuts  are  planned  for 
major  airports,  which  could  present  an 
increased  security  risk  during  the  busier  sum¬ 
mer  travel  season.” 

What  the  TSA  is  also  doing,  according  to  the 
congressional  testimony  of 
Adm.  James  Loy,  TSA  ad¬ 
ministrator,  is  weeding  out 
the  employees  who  are 
criminals.  “We  have  termi¬ 
nated  1,208  screeners  for 
unsuitability  reasons,  most 
of  which  were  revealed  on 
background  checks,”  he 
says.  In  all  fairness,  the 
TSA  received  1.6  million 
job  applications  for  the 
position  of  airport  screener. 
One  might  say  it’s  accept¬ 
able  that  a  few  felons 
slipped  through. 

Loy,  in  his  testimony, 
cites  a  grim  statistic.  In 
Los  Angeles,  of  the  2,500 
screeners  currently  employed,  about  508  have 
“the  potential  of  a  criminal  record,”  meaning 
the  TSA  has  to  further  investigate  them. 

The  TSA  had  an  enormous  task:  to  develop 
a  system  that  would  protect  all  airline  passen¬ 
gers.  But  the  organization  has  some  work  to 
do.  And  the  cuts  aren’t  going  to  help. 

Nancy  Pelosi,  House  Democratic  leader,  sees 
the  TSA  budget  cut  as  a  sign  that  the  govern¬ 
ment  is  not  committed  to  homeland  security. 
According  to  Pelosi,  “We  need  to  do  more  than 
talk  about  homeland  security.  There  is  a  huge 
unmet  need  in  funding  for  homeland  security. 
The  cut  to  the  TSA  is  just  the  latest  example  of 
the  Bush  administration  saying  one  thing  on 
homeland  security  and  doing  another.”  ■ 


The  Department  of  Homeland  Security 
(DHS),  has  created  the  National 
Cyber  Security  Division  (NCSD)  to 
help  implement  the  president's  National 
Strategy  to  Secure  Cyberspace  and  the 
Homeland  Security  Act  of  2002.  The 
NCSD  will  provide  24/7  functions  such 
as  conducting  cyberspace  analysis, 
issuing  alerts  and  warnings,  improving 
information-sharing,  responding  to 
major  incidents,  and  aiding  in  national- 
level  recovery  efforts. 

Vermont  and  New  Jersey  are  develop¬ 
ing  a  digital  licensing  system, 

awarding  Massachusetts-based  Digi- 
marc  ID  Systems  contracts  to  supply 
the  states  with  new  technologies  to 
watermark  their  licenses.  Digital  water¬ 
marking  technology  allows  users  to 
embed  a  digital  code  in  audio,  images, 
video  and  printed  documents  that  is 
imperceptible  during  normal  use  but 
readable  by  computers  and  software. 

The  General  Accounting  Office  recently 
reported  more  than  750  security  weak¬ 
nesses  in  the  IRS’s  general  control 

systems,  with  a  majority  of  those 
weaknesses  focused  in  logical  access 
controls  such  as  password  protection 
and  network  security.  The  GAO  called 
the  IRS  at  “heightened  risk  of  access  to 
critical  data  by  unauthorized  persons.” 

Office  of  Personnel  Management  (0PM) 
security  clearance  forms  SF-86 
and  SF-86C  are  now  online.  The  two 
forms  allow  federal  employees  to  apply 
for  security  clearance  and  quickly 
update  their  information  online.  The 
e-clearance  initiative  is  one  of  President 
Bush’s  24  proposed  e-government 
initiatives. 

News  from  Washington 

To  read  more  about  what’s  happening  in 

Washington,  D.C.,  visit  our  website. 


www.csoonline.com/wonk 


22  www.csoonline.com  August  2003 


PHOTO  LEFT  BY  AP:  TOP  BY  GETTYONE 


Not  with  us  it  isn't. 


We  see  management 
a  little  differently 
from  the  other  guys. 


At  NetlQ,  we  don't  see  a  problem.  Only  solutions. 
Managing  your  Windows  server  environment  is  easier 
than  ever  with  Microsoft  Operations  Manager.  And, 
as  a  key  Microsoft  partner,  NetlQ  extends  Microsoft 
Operations  Manager  to  manage  and  secure  your 
entire  enterprise,  whether  you're  driving  UNIX, 
NetWare,  Linux,  Windows. ..or  all  of  them.  NetlQ. 
We're  the  management  people.  And  nobody  does 
management  smarter.  Nobody. 

CIO  eBook!  Get  your  free  copy  of  From  Chaos  to  Control: 
The  CIO's  Executive  Guide  to  Managing  and  Securing 
the  Enterprise,  www.netiq.com/manageability 


n  _ 

Work  Smarter* 


©Copyright  2003  NetlQ  Corporation.  All  rights  reserved.  Net  IQ  and  the  NetlQ  logo  are  registered  trademarks  of  the  NetlQ  Corporation. 
All  other  names  and  products  mentioned  herein  may  be  the  registered  trademarks  of  their  respective  companies. 


Protect  What’s  Yours 

Hewlett-Packard  Chief  Security  Strategist  Ira  Winkler 
answers  readers’  questions  about  securing  intellectual 
property  and  handling  corporate  espionage 


Q:  How  should  companies  address  the  problem  of  sensitive  information  (customer 
or  employee  data)  leaving  the  company  through  e-mail,  IM  and  printouts? 

A:  This  is  a  very  big  problem  for  many  organizations.  While  there  are  prod¬ 
ucts  available,  and  in  development,  the  technology  to  provide  a  reliable  solu¬ 
tion  is  not  there  yet.  Some  word  processors  have  distribution  features,  such 
as  limited  printing.  You  may  be  able  to  get  products  that  feature  extrusion 
detection.  You  can  also  get  a  clever  administrator  to  configure  your  perimeter 
security  (firewalls,  intrusion  detection 
systems  and  content  filtering  tools)  to  scan 
outgoing  data  in  the  same  way  you  scan 
incoming  data.  You  can  remove  floppy 
drives,  but  USB  ports  can  make  that  effort 
moot.  Controlling  analog  lines  is  a  must. 

For  the  short  term,  you  can  do  only  what  is 
feasible  for  your  own  situation  and  then 
rely  on  data  classification,  nondisclosure 
agreements  and  employee  adherence  to 
your  data  distribution  policies. 

Q:  My  contract  with  a  Web  development 
company  was  recently  terminated  without 
just  cause.  I  completed  the  design  and 
supervision  of  three  projects  but  have  not 
been  paid  for  the  weeks  leading  up  to  my 
termination.  Can  I  retain  intellectual  property  rights  over  the  design  of  the  projects? 
Can  I  advise  the  company’s  clients  of  my  claim  to  the  property? 

A:  The  short  answer  is  no,  and  consult  a  lawyer  immediately.  Your  contract 
should  hopefully  address  conflict  resolution.  It  appears  that  you  were  part  of  a 
team,  so  you  cannot  easily  claim  ownership  of  any  individual  aspect  of  the 
projects.  Contacting  your  client’s  clients  would  probably  open  you  up  to  more 
trouble.  A  lawyer  should  tell  you  what  recourse  you  may  have,  which,  unless 
the  contract  is  extremely  favorable  to  you,  is  probably  limited  to  suing  the 
company  for  money.  There  may  even  be  a  binding  arbitration  clause.  Again, 
consult  a  lawyer  who  is  an  expert  on  contract  law. 

Q:  What  are  the  major  requirements  for  a  nondisclosure  agreement,  and  where  can 
I  find  a  good  example? 

A:  The  first  answer  is,  “It  depends.”  There  are  two  types  of  NDAs— one-sided 
and  mutual.  If  you  write  the  agreement,  you  usually  want  it  one-sided  to  put 
the  requirements  on  the  other  party.  Frequently,  it  may  be  a  mutual  nondis¬ 


closure  statement  to  put  equal  requirements  on  both 
parties.  If  someone  asks  me  to  sign  one,  I  want  it  to 
be  mutual. 

The  agreement  should  include  at  least  a  definition  of 
what  it  covers,  what  is  excluded,  why  the  agreement  is 
in  place  and  why  the  parties  are  providing  the  informa¬ 
tion.  It  should  also  state  the  exclusion  of  information 
that  would  be  or  becomes  public,  how  long  the  NDA  is 
applicable  (outlining  when  you  are  free  from  obliga¬ 
tions),  the  penalties  for  violating  the  terms  of  the  agree¬ 
ment,  whether  arbitration  is  required,  the  state  where 
violations  should  be  filed  and  the  state  whose  laws  will 
be  followed.  There  may  be  more  stipulations  depending 
on  the  nature  of  the  agreement. 

If  you  are  asked  to  sign  an  NDA,  be  careful  about 
clauses  that  may  be  detrimental  to  you  in  the  future. 

For  example,  I  have  seen  some  companies  try  to  sneak 
in  noncompete  and  “do  not  hire”  clauses. 

Concerning  sample  NDAs,  you  can  buy  legal  docu¬ 
ment  software  or  books  with  samples.  For  important 
or  frequently  used  documents,  have  a 
lawyer  create  them. 

Q:  If  your  development  partner  has  an  off¬ 
shore  programming  site,  what  are  reason¬ 
able  controls  for  it  to  meet?  Do  you 
recommend  onsite  visits? 

A:  In  an  ideal  world,  I  would  want  the 
development  partner  to  be  a  U.S. -based 
company  that  happens  to  have  an  off¬ 
shore  site.  Otherwise,  the  company  you 
use  should  be  well-established. 

Policies  and  procedures  should  clearly 
state  how  the  company  and  its  employ¬ 
ees  are  required  to  treat  your  confiden¬ 
tial  intellectual  property.  These  policies 
should  also  stipulate  that  you  own  all 
rights  to  the  software  that  you  contract  for  develop¬ 
ment.  Since  the  amount  of  effort  you  put  into  protect¬ 
ing  intellectual  property  is  the  balancing  of  risk,  you 
have  to  determine  what  is  at  stake.  I  would  also  recom¬ 
mend  that  you  rereview  the  developer’s  procedures  at 
least  every  six  months.  You  pursue  offshore  options  to 
save  money;  however,  there  is  always  a  cost.  If  you  try 
to  save  money  up-front  by  cutting  corners,  it  can  end 
up  costing  you  much  more  in  the  end.  ■ 


Ask  Your  Peers 

Have  a  security  topic  to  suggest  or  an  expert  you'd  like  to  hear  from? 
Send  your  thoughts  to  Assistant  Managing  Editor  Kathleen  Carr  at 
kcarr@cxo.com.  Go  online  to  see  what  your  peers  are  discussing. 


www.csoonline.com/counsel 


24  www.csoonline.com  August  2003 


R  uthenex' 


Strong  Authentication 
Web  Access  Control 


Strong  Authentication 


Affordable  Strong  e-Security 


More  e-Security 
for  Less  Money 

Pay  2/3  less  for  strong  (two-factor)  authentication 
Use  the  same  A-Key™  for  an  optional  suite  of  strong 
e-security 


File/Folder/HD  Encryption 
Secure  File  Exchange 
Digital  Cert  Storage 


You  get  strong  authentication  more  versatile  than  that  provided  by 
the  industry  leader,  for  1/3  the  price.*  Plus,  you  can  use  the  same 
A-Key  token  for:  web  access  control,  128-Bit  AES  encryption  for 
files/hard  disk/folders,  secure  file  exchange,  and  storage  for  digital 
certificates.  You  save  even  further  through  ease  of  deployment  and 
management. 


*  Price  comparison  and  token  prices  are  approximated  based  on  average  per  token  retail  price  of  RSA  SecurlD  tokens  (in  25  pack  of  5 
year  tokens)  randomly  surveyed  from  internet  retailers  on  May  13,  2003,  and  the  average  per  token  retail  price  of  Authenex  A-Key  tokens 
(in  25  pack  of  tokens)  as  of  May  13,  2003.  Prices  are  for  tokens  only  and  do  not  include  related  software.  Prices  may  be  subject  to 
change  without  notice. 


Get  your  FREE  A-Key  today** 

on  the  web  at  www.authenex.com 
or  call  us  at  1.877.AUTHENEX 


fluthenex' 

Affordable  Strong  e-Security 


Microsoft 

CERTIFIED 


**  Certain  terms  and  conditions  may  apply. 


©  2003.  Authenex,  Inc.  All  Rights  Reserved.  Authenex,  A-Key  and  associated 
logos  are  trademarks  of  Authenex,  Inc.  All  other  registered  and  unregistered 
trademarks  in  this  document  are  the  sole  property  of  their  respective  owners 


The  Highs  (and 
Lows)  of  the  CSO 


Pity  the  public-sector  CSO.  He  has  to  overcome  all  the 
typical  security  pitfalls— and  he  gets  to  do  it  all  in  a 
bureaucratic  fishbowl.  By  David  H.  Holtzman 


T’S  NOT  AN  EASY  TREK,  BECOMING  A  SECURITY  MANAGER. 
But  of  all  the  possible  security  executive  jobs  out  there,  none  is  probably  as  chal¬ 
lenging  as  the  public-sector  job.  The  government  CSO  most  likely  has  climbed  his 
career  mountain  without  a  Sherpa  or  a  harness  to  catch  him  if  he  falls. 

For  starters,  cultural  and  situational  issues  unique  to  government  jobs  make  for 
a  particularly  tough  journey  for  the  government  CSO.  In  the  Office  of  Management 
and  Budget’s  2001  Government  Information  Security  Reform  Act  report  to  Con¬ 
gress,  for  example,  six  IT  security  weaknesses  in  government  were  identified. 
They  included  a  lack  of  attention  to  IT  security  by  senior  management  and  non¬ 
existent  IT  security  performance  measures.  In  addition,  the  report  cited  poor 
security  education  and  awareness,  a  lack  of  fully  funded  and  integrated  security, 
a  failure  to  ensure  that  contractor  services  are  adequately  secure,  and  a  problem 
with  detecting,  reporting  and  sharing  information  on  vulnerabilities. 

Although  those  weaknesses  exist  outside  the  public  sector,  they  are  exacerbated 
in  government  agencies  where  procedural  problems  and  incom¬ 
petent  management  can  inflate  them.  Here  are  the  facts: 

Government  security  officers  have  less  control  than  their 
civilian  counterparts.  While  industry  executives  are  con¬ 
strained  by  their  budgets,  government  employ¬ 
ees  have  to  buy  goods  and  services  from  a 
GSA-approved  list,  and  they  are  bureau¬ 
cratically  hampered  in  their  hiring. 

They  are  also  critically  dependent  on 
outsourced  labor  and  do  not  have 
insight— beyond  routine  security 
clearances— into  their  contractors’ 
backgrounds. 

All  federal  executives  live  in  a 

fishbowl.  In  the  private  sector, 

CSOs  answer  solely  to  the  exec¬ 
utive  team.  Public-sector  CSOs 
have  lists  of  executives  they  report 
to.  These  CSOs  are  also  subject  to 
investigations  by  regulator)'  agen¬ 
cies  such  as  the  GAO  or  the  OMB 
and  congressional  committees. 

The  fat  lady  never  sings  for  government 
employees.  The  actions  of  the  government 


CSO  can  become  public  information  via  FOIA  (Freedom 
of  Information  Act)  years  later,  even  if  he’s  no  longer  a  gov¬ 
ernment  employee.  The  federal  wind  blows  in  many  direc¬ 
tions  and  the  political  climate  can  change  quickly;  the 
decisions  that  government  CSOs  make  today  will  be  meas¬ 
ured,  in  hindsight,  using  a  moral  barometer  that  is  cali¬ 
brated  to  tomorrow’s  regulatory  environment. 

Government  computers  will  always  be  prime  targets.  In 
theory,  security  should  be  taken  seriously  everywhere, 
but  in  practice,  some  places  are  more  likely  to  attract 
problems  than  others.  Government  data  centers  are  prime 
targets.  If  the  motive  is  terrorism  or  information  warfare, 
the  hackers  involved  will  be  highly  motivated  profes¬ 
sionals  with  an  agenda,  not  disgruntled  employees  or 
bored  teenagers. 

Defending  a  prime  target  is  very  different  than 
installing  perimeter  protection.  The  defensive  stance 
employed  by  CSOs  is  based  on  the  same  principle  that  is 
followed  by  virus  checkers— block  things  that  have  been 
seen  before.  But  the  hot  spots  (such  as  government  net¬ 
works)  wall  experience  the  destructive  and  innovative  tac¬ 
tics  of  experienced  hackers.  It’s  much  harder  to  defend 
against  innovative  attacks  that  you  haven’t  encountered 
before  than  those  that  you  have  learned  to  block. 

Conflicting  messages  are  difficult  to  decipher.  An 
unenlightened  management  group  armed  with  high  expec¬ 
tations  is  a  difficult  group  to  work  with.  I  once  recom¬ 
mended  a  new  client/server  system  to  a  senior  government 
customer  and  was  told  that  servers  cost  too  much;  they  just 
wanted  clients.  I’m  reminded  of  that  story  when  I  read 
about  proposed  e-government  initia¬ 
tives  that  lack  a  commensurate 
budgetary  increase  for  agency 
security.  The  GAO  said  earlier 
this  year  that  “significant  information 
security  weaknesses  continue  to  place  a 
broad  array  of  federal  operations  and 
assets  at  risk  for  fraud,  misuse  and 
disruption.” 

The  fact  is,  U.S.  information 
security  is  in  lousy  shape.  Out¬ 
sourcing  and  privatization  are  not 
likely  to  improve  the  situation  and 
might  actually  make  it  worse.  True 
security,  however,  is  patient  pro¬ 
fessionalism  fueled  by  adequate 
funding.  ■ 


David  H.  Holtzman,  former  CTO  of  Network 
Solutions,  also  worked  as  a  cryptographic 
analyst  with  the  U.S.  Navy  and  as  an  intelligence 
analyst  at  DEFSMAC.  He  can  be  reached  at  david@ 
globalpov.com. 


26  www.csoonline.com  August  2003 


ILLUSTRATION  BY  ERIC  COLQUHOUN 


Companies  everywhere  are  facing  a  new  kind  of  threat. 
Fortunately,  there’s  a  new  level  of  protection. 


Introducing  Application  Intelligence  only  from  Check  Point. 

The  Internet  is  evolving.  So  is  the  technology  that  keeps  it  secure.  Now  Check  Point  introduces 
Application  Intelligence— a  major  breakthrough  in  the  evolution  of  Internet  security  and  a  definitive 
response  to  the  growing  problem  of  application  level  attacks.  With  Application  Intelligence  integrated 
into  Check  Point  FireWall-1  and  Smart  Defense,  your  business-critical  systems  are  safe  from  both 
network  and  application  level  attacks.  By  providing  the  world’s  only  truly  integrated  security  infrastructure, 

Check  Point  centralizes  and  strengthens  your  defense  against  attack  at  every  level,  every  location.  Want 
to  take  Internet  security  to  the  next  level?  Get  the  revealing  new  white  paper  that  tells  you  everything 
you  need  to  know  about  the  latest  cyber  threats,  “Internet  Security  Redefined:  A  new  level  of  integration, 
a  new  level  of  protection.”  at  www.checkpoint.com/appint/cso 

We  Secure  the  Internet 


Check  Point 

sorrwAnc  TFCHwotooif*  l»d 


©2003  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 


*  I.T.  V  -WCii 

i  vWrf  •  T 'rWM  >'<^  * 


■  f-  v\f  u'-  'r*  • 


%c;-  •  ^■'■■,C  •  l" 

.'•■'•{' v *'<'  '■' 

.  •  '■  ' 

■>■••.  W;.  ..  •.;• . 


t ;; 1 

h“‘lrt'A*i  '■ ; A  /  •/  ;.  7 


I  ■ ■■'  /  •  " 

I  • 


*£ 


^  £:  ,:y£  «  /  t  h.'’  •; 

«•.:.  '  ,-.  -  ‘  ':'V;' . 

/.  ‘S'.  ; 

^V; TMjt.  w-„  ■,: 

-  i-/ ^  r.- > S  r- ;".  --•  v  •><  \ 


#*|§  fM#-  ‘ 

\  ?‘f  i:  :'r  •  -••'  •  vv  • 

;.  :•;■  ■  .  ■  * 
.  :•  •  -  '<•  •::  - 


■  ■-.■  W  ;■  .; 

:  ■'..  ntfmwmM*:. 

■  '■'■  ■  ./I.  'ft-,  .  ' 


Chemical  companies  may  be  terrorist  targets 
The  industry  is  pulling  together  to  tighten 
physical  and  electronic  security,  but  it  still 
faces  a  troubling  mixture  of  xmlner abilities. 

By  Bob  Violino 


Every  five  seconds,  a  Web-attached  camera 

snaps  a  picture  of  the  computer  room  at  Arch  Chemicals.  Those  images 
go  to  a  central  security  console  for  review.  Should  an  intruder  appear, 
Arch  security  personnel  will  be  alerted  instantly.  Not  that  it’ll  be  easy 
for  the  intruder  to  get  there  in  the  first  place;  after  all,  Arch  has  new 
fences,  more  guards,  better  lighting,  employee  ID  badges  and  a  raft  of 
other  recent  security  improvements. 

This  is  the  aftermath  of  9/11,  a  day  when  chemical  businesses  expe¬ 
rienced  an  abrupt  shift  in  their  thinking  about  potential  security 
threats.  As  Arch  CSO  Ross  Barnes  says,  “Chemical  companies  typically 
haven’t  looked  at  this  from  an  adversarial  standpoint— what  we  have 
on  the  [manufacturing]  sites  that  could  be  a  target  for  terrorists,”  as 
opposed  to  perhaps  simpler  problems  such  as  accidents  or,  at  worst, 
vandalism.  Now  the  industry’s  CSOs  are  pondering  things  like  how  to 
stop  someone  from  blowing  up  a  truck  next  to  a  processing  plant,  or 
finding  an  electronic  inroad  to  disable  shutoff  valves  in  a  hazardous 
mixing  process.  And  this  isn’t  just  CSO  paranoia  talking. 

“Chemical  facilities  may  be  attractive  targets  for  terror¬ 
ists  intent  on  causing  economic  harm  and  loss  of  life,” 
said  the  U.S.  General  Accounting  Office  in  a  March 
report  highlighting  the  vulnerabilities  of  the  industry. 

As  Arch  Chemicals  demonstrates,  a  new  set  of  threats 
requires  a  new  set  of  security  measures.  These  chal¬ 
lenges  have  set  off  a  wave  of  cooperation  and  commu¬ 


Arch  Chemicals  CSO  Ross  Barnes  (left) 
and  CIO  Al  Schmidt  get  digital  and 
physical  security  on  the  same  page. 


nication  throughout  the  industry.  At  Arch,  Barnes  is  working  more 
closely  than  ever  with  Vice  President  of  Information  Technology  and 
CIO  Al  Schmidt  to  keep  logical  and  physical  security  in  sync.  And  col¬ 
laboration  doesn’t  stop  at  company  borders.  The  industry  is  taking  a 
gang-tackling  approach,  creating  joint  efforts  such  as  the  Chemicals 
Sector  Cyber-Security  Information  Sharing  Forum  to  determine  and 
disseminate  best  practices.  “We’ve  seen  industries  where  the  response 
is  to  put  up  a  wall  of  lawyers  and  deflect  responsibility  as  long  as  pos¬ 
sible.  We’re  making  a  very  serious  attempt”  to  ensure  collaborative!} 
that  plants  and  computer  infrastructures  are  secure, 
says  Schmidt. 

That’s  good  because  there  is  a  lot  of  work  to  do. 
Chemical  companies  face  a  number  of  significant  hur¬ 
dles  in  their  race  toward  better  security:  Small  compa¬ 
nies  in  the  supply  chain  lack  resources  to  enact  new 
measures.  Information-sharing  within  the  industry  and 
with  the  government  still  needs  improvement.  And 


IN  THIS  STORY:  How 

competitors  within  the 
chemical  industry  are  col¬ 
laborating  on  security 
efforts  ■  The  problems 
with  process  control 
systems 


August  2003  www.csoonline.com 


PHOTO  LEFT  BY  AP:  PHOTO  RIGHT  BY  TRACEY  KROLL 


Industry  Profile  |  Chemicals 


while  the  industry  shows  progress  in  those 
two  areas,  there’s  a  spanner  in  the  works: 
process  control  systems  that  are  increasingly 
internetworked  but  resistant  to  standard 
infosecurity  tools  and  practices. 

Baby  Steps 

Two  of  the  easier  hurdles  to  jump  are  ensur¬ 
ing  that  small  companies  also  improve  their 
security,  and  fostering  information-sharing 
across  the  industry. 

Greg  Holton  is  leader  of  the  security  vul¬ 
nerability  analysis  team  at  Crisis  Management 
Worldwide,  a  security  consultancy  that  works 
with  chemical  companies.  Holton  says  many 
small  companies  believe  they’re  unlikely  tar¬ 
gets  for  attacks,  and  therefore  aren’t  as  pre¬ 
pared  as  their  big  brothers.  But  given  recent 
media  attention  to  threats  against  “soft  tar¬ 
gets,”  they  too  need  to  take  steps  to  guard 
against  security  breaches.  In  tightly  intercon¬ 
nected  industries,  a  breach  in  a  small  company 
can  have  a  snowball  effect.  “The  chemical 
industry  is  highly  integrated,  and  to  a  large 
extent,  companies  are  customers  and  suppli¬ 
ers  to  each  other,”  notes  Theresa  Grant,  direc¬ 
tor  of  information  security  at  Dow  Chemical. 
“Our  security  is  only  as  strong  as  the  weakest 
link.  We  can  have  strong  security  internally 
and  not  address  the  concern  of  partners  in 
the  supply  chain,  so  we’d  still  be  vulnerable.” 

The  economy  compounds  this  problem,  of 
course.  Budgets  are  battened  down.  “In  tough 
economic  times,  it’s  hard  getting  the  people 
and  resources  to  participate  in  projects,”  says 
Grant.  And  the  little  guys  have  the  fewest 
resources  to  begin  with. 

Nevertheless,  collaborative  projects  are 
chipping  away  at  both  this  problem  and  the 
need  for  greater  information-sharing.  One 
such  project  is  the  Chemical  Sector  Informa¬ 
tion  Sharing  and  Analysis  Center  (ISAC), 
formed  in  April  2002  with  the  FBI’s  National 
Infrastructure  Protection  Center  (NIPC).  The 
ISAC,  similar  to  efforts  in  other  industries, 
enables  security-related  information  to  move 
effectively  between  the  NIPC  and  chemical 
companies.  It  will  be  operated  by  the  Chemi¬ 
cal  Transportation  Emergency  Center,  the 
emergency  response  communications  center 
for  a  group  called  the  American  Chemistry' 
Council  (ACC).  “We’ve  embraced  ISAC  as  a 


key  capability  for  sharing  information  about 
security,”  says  Christine  Adams,  Dow’s  per¬ 
formance  chemicals  business  IS  manager. 

Adams  is  also  the  program  manager  of  the 
Cyber-Security  Program,  another  team  effort 
within  the  Chemicals  Sector  Cyber-Security 
Information  Sharing  Forum,  also  formed  in 
April  2002.  Adams  says  the  program  is  devel¬ 
oping  a  road  map  to  help  companies  identify 
information  for  law  enforcement  agencies.  She 
expects  it  to  be  available  by  the  third  quarter  of 
this  year.  A  key  forum  goal  is  getting  the  word 
out  about  security  guidelines  to  all  chemical 
companies,  says  Adams.  “The  success  of  our 
program  hinges  directly  on  the  rate  of  adoption 
of  the  work  that  comes  out  of  the  program.” 
She  says  the  forum  will  also  work  with  security 
technology  vendors  to  identify  ways  the  ven¬ 
dors  can  better  serve  the  chemical  industry 
through  new  products  or  upgrades. 

Still  another  collaborative  work,  again 
affiliated  with  the  forum,  is  the  ACC’s  Re¬ 
sponsible  Care  cybersecurity  team.  The  ACC 
developed  the  Responsible  Care  program  to 
ensure  that  chemical  plants  are  operating 
safely  and  securely.  It  requires  all  members  to 
evaluate  plant  vulnerabilities,  including  phys¬ 
ical,  IT  and  process  control  security.  The  team 
has  developed  a  security  code  for  all  165  ACC 
member  companies,  which  account  for 
90  percent  of  all  the  chemicals  made  in  the 
United  States.  The  code  includes  a  set  of 
industry-specific  guidelines  to  help  reduce 
risks,  such  as  network  intrusions  by  hackers. 
The  guidelines  require  senior  management 
commitment  to  continuous  improvement  in 
security;  prioritization  and  periodic  analysis  of 
potential  security  threats  and  vulnerabilities; 
development  and  implementation  of  security 
measures  commensurate  with  risks;  docu¬ 
mentation  of  security  management  programs; 
and  audits  to  assess  security  programs  and 
processes.  In  March,  the  ACC’s  120  highest- 
priority  facilities  completed  assessments  of 
physical  and  cybersecurity  vulnerabilities,  as 
required  by  the  code’s  deadline. 

Participants  are  enthused  about  this 
sharing-is-caring  approach.  “I  think  we’re 
making  good,  steady  progress,”  says  Charles 
Curry,  Eastman  Chemical’s  senior  systems 
associate  who  is  responsible  for  information 
security.  “It’s  essential  that  eveiyone  in  the 
industiy  work  together  on  this.  We  are  becom¬ 


ing  more  dependent  on  one  another,  and  our 
industry  impacts  many  other  critical  services 
and  industries.”  Curry  says  Eastman’s  involve¬ 
ment  in  the  cooperative  initiatives  has  helped 
the  company  identify  specific  weaknesses.  For 
example,  while  Eastman  had  adequate  backup 
for  its  infrastructure  and  critical  applications, 
it  needed  to  improve  its  business  continuity 


Dow  Chemical’s  Theresa  Grant  (left),  director  of 
information  security,  and  Christine  Adams, 
performance  chemicals  business  IS  manager, 
spearhead  collaboration  with  supply  chain  partners. 


30  www.csoonline.com  August  2003 


All  Together  Now 


:  .  V.V-Y 
V 

Vim* 


THE  GOVERNMENT’S  CALL  FOR 
BETTER  SECURITY  YIELDS  A 
PLETHORA  OF  INDUSTRYWIDE 
FORUMS  AND  PROGRAMS 

Spearheading  many  of  the  chemical 
industry’s  security  efforts  is  the  Chemi¬ 
cals  Sector  Cyber-Security  Information 
Sharing  Forum,  which  was  created  in 
April  2002  in  response  to  the  federal 
government’s  call  for  enhanced  secu¬ 
rity  in  the  industry. 

The  Washington,  D.C. -based  forum 
includes  10  industry  associations  repre¬ 
senting  more  than  2,000  chemical 
companies.  The  group  initially  created 
a  task  force  of  16  security  experts  in 
the  industry,  covering  areas  such  as 
physical,  information  and  process  con¬ 
trol  security;  supply  chain  management 
and  logistics;  industry  collaborations; 
standards  development;  legal;  and 
telecommunications. 

The  plan  was  submitted  to  Richard 
Clarke,  former  chairman  of  President 
Bush’s  Critical  Infrastructure  Protec¬ 
tion  Board,  for  inclusion  in  the  National 
Strategy  to  Secure  Cyberspace. 

Late  in  2002,  the  forum  created  a 
Cyber-Security  Program  to  evaluate 
security  technologies  and  collaborate 
with  technology  providers,  determine  a 
common  industry  standard,  recom¬ 
mend  security  practices  and  policies, 
and  develop  an  information-sharing 
network  through  which  members  could 
exchange  ideas  and  distribute  warnings 
about  security  threats. 

In  January,  the  forum  and  the  Chem¬ 
ical  Industry  Data  Exchange  (CIDX) 
trade  association  unveiled  the  Chemi- 
cals  Sector  Cyber-Security  Practices,. 
Standards  and  Technology  Initiative 
This  effort,  run  by  a  newly  formed'ClPX 
business  unit,  will  implement  the  stan- 
dards  and  practices  component  of  the 
forum  program.  •  :  /  -B.V. 


/'  .  (-1 

S  \»  j  y'*- 

-  v  •••  ' 


v  ■.  v?  -  . 

'  •  &■:'  ~  \  ■ 

,  ‘ 

-  ' 


l  ■ 


.  ■* 


£ 


•  ■:.  & 

& 


strategy— such  as  how  to  quickly  react  in  the 
event  of  a  security  breach.  Similarly,  Grant 
says  Dow  expects  to  gain  insight  into  how  well 
its  supply  chain  partners  are  securing  their 
networks,  and  assess  the  potential  risks  of 
partners  connecting  to  Dow’s  networks  to 
place  orders  or  provide  information. 

While  chemicals  is  an  interconnected 
industry,  these  companies  still  compete  with 
one  another.  Will  competitive  pressures  stand 
at  odds  with  all  the  information-sharing 
efforts?  So  far,  the  industry  is  at  least  sound¬ 
ing  the  right  notes  in  that  regard.  “There’s 


nothing  proprietary  about  security,”  says 
Bobby  Gillham,  manager  of  global  security  at 
ConocoPhillips,  which  operates  a  chemical 
joint  venture  with  ChevronTexaco.  “Are  we 
sharing  the  processes  we  use  to  make  prod¬ 
ucts?  No.  But  we  are  sharing  information 
about  vulnerabilities  and  threats.” 

“As  long  as  it’s  within  the  guidelines  of  the 
antitrust  laws,  I’m  quite  comfortable  with  it,” 
adds  Eastman’s  Curry.  “We’re  not  sharing 
anything  that  relates  to  products  or  pricing. 
Were  sharing  our  experiences  with  security.” 
Or  as  Dow’s  Adams  puts  it,  “We’re  not  giving 
away  any  secrets.” 

Despite  evident  progress  by  these  groups, 
the  GAO  and  industry  analysts  question 
whether  the  industry’s  efforts  are  enough. 
Environmental  Protection  Agency  officials 
estimate  that  voluntary  initiatives  led  by 
industry  associations  reach  only  a  portion  of 
the  15,000  facilities  that  need  to  be  secured, 
according  to  the  GAO  report.  Although  imple¬ 
mentation  of  Responsible  Care  is  a  condition 
of  ACC  membership,  the  ACC  lacks  an 
enforcement  mechanism  to  ensure  that  mem¬ 
ber  companies  comply. 

The  industry  faces  a  number  of  challenges 
in  preparing  facilities  against  attacks,  the 
GAO  says,  including  ensuring  that  they  obtain 
adequate  information  on  threats  and  deter¬ 
mining  appropriate  security  measures  given 
the  level  of  risk.  The  industry  also  faces  diffi¬ 
culties  in  making  sure  all  facilities  that  pro¬ 
duce  or  store  hazardous  chemicals  are 
addressing  security  concerns.  For  example, 
“Despite  the  industry’s  voluntary  efforts,  the 
extent  of  security  preparedness  at  U.S.  chem¬ 
ical  facilities  is  unknown,”  the  report  says.  It 
recommends  that  the  U.S.  Department  of 
Homeland  Security  and  the  EPA  jointly 
develop  a  comprehensive  national  chemical 
security  strategy  that  identifies  high-risk 
facilities  and  collects  information  on  industry 
security  preparedness;  specify  the  responsi¬ 
bilities  of  each  federal  agency  partnering 
with  the  chemical  industry;  and  develop 
information-sharing  mechanisms. 

Crisis  Management  Worldwide’s  Holton 
seconds  the  notion  that  more  work  remains. 
“Some  chemical  plants  have  very  good  secu¬ 
rity,  fencing,  lighting  and  procedures  in  place,” 
he  says.  “Other  facilities  are  unprepared. 
Fences  are  falling  down,  people  wander  onto 


PHOTO  BY  KEVIN  MIYAZAKI 


Industry  Profile  I  Chemicals 


Uncle  Sam  Wants  More 

THE  INDUSTRY’S  VOLUNTARY  EFFORTS  AREN'T  LIKELY  TO  FORESTALL  ALL  LEGISLATION 


developed  by  the  Department  of  Homeland  Security.” 

Such  regulation  would  fill  a  void  noted  in  “The  National  Strategy  for 
Physical  Protection  of  Critical  Infrastructure  and  Key  Assets”  report, 
issued  by  the  White  House  in  February.  While  the  report  applauded  the 
industry’s  security  initiatives,  it  noted  that  a  “significant  percentage  of 
companies  that  operate  major  hazardous  chemical  facilities  do  not  abide 
by  voluntary  security  codes  developed  by  other  parts  of  the  industry.” 

Christine  Adams,  performance  chemicals  business  IS  manager  at 
Dow  Chemical  and  program  manager  of  the  Cyber-Security  Program 
within  the  Chemicals  Sector  Cyber-Security  Information  Sharing 
Forum,  says  the  group  supports  the  new  legislation.  “It  will  assure  that 
vulnerability  assessments  are  being  conducted,”  she  says.  -B.V 


While  the  chemical  industry  tries  to  improve  security  through  collabo¬ 
rative  efforts,  the  federal  government  may  provide  further  impetus  to 
ensure  that  the  critical  sector  is  well  protected. 

Congress  is  considering  legislation  introduced  in  May  that  would 
allow  the  Department  of  Homeland  Security  to  mandate  chemical  facil¬ 
ity  security  measures.  The  Chemical  Facilities  Security  Act  of  2003, 
introduced  by  Sen.  James  Inhofe  (R-Okla.)  and  Sen.  Zell  Miller  (D-Ga.), 
requires  chemical  companies  to  complete  vulnerability  assessments 
and  site  security  plans.  Penalties  for  noncompliance  are  stiff. 

“No  one  gets  a  free  pass  under  this  bill;  no  one  is  exempt,"  Inhofe 
said  in  introducing  the  bill.  “Chemical  facilities  must  abide  by  the  legis¬ 
lation's  security  requirements  and  any  rules,  procedures  or  standards 


the  property.  Access  is  uncontrolled.”  Even¬ 
tually  the  GAO’s  proposed  legislative  action 
may  be  required  to  force  the  hand  of  small 
companies  or  other  laggards  (see  “Uncle  Sam 
Wants  More,”  this  page). 

The  Process  Problem 

The  process  control  system  problem  may 
prove  more  intractable.  Process  control  sys¬ 
tems  (SCADA  being  the  most  widely  known 
associated  acronym— Supervisory  Control  and 
Data  Acquisition  systems)  manage  and  over¬ 
see  various  pieces  of  the  manufacturing 
process:  tank  sensors,  cooling  systems,  and 
valves  that  stop  or  start  the  flow  of  chemicals, 
oil  or  other  liquids. 

How  vulnerable  these  systems  really  are  to 
a  cyberattack  is  the  subject  of  much  debate. 
But  Joe  Weiss,  a  consultant  at  Kema,  assures 
that  the  threat  is  very  real  indeed,  and  has 
documented  at  least  30  such  attacks.  One 
example  was  the  Slammer  worm,  which  Weiss 
says  interfered  with  a  number  of  control  sys¬ 
tems  at  power  and  oil  companies— even 
though  those  companies  and  systems  weren’t 
the  primary  target.  The  process  industry  dis¬ 
ruptions  w'ere  collateral  damage  in  an  attack 
that  was  aimed  at  the  Internet’s  root  servers. 

Simply  passing  legislation  mandating  a  fix 
won’t  actually  help  because,  according  to 
Weiss,  neither  the  technology  nor  the  prac¬ 
tices  to  secure  process  control  systems  cur¬ 
rently  exist. 

On  the  technolog}'  side,  control  systems  are 
designed  to  be  highly  reliable  and  interoper¬ 


able.  “The  controllers  used  in  the  front-end 
processors  of  these  control  systems  are  dif¬ 
ferent  than  those  used  in  business  systems,” 
says  Weiss.  Operator  and  engineer  worksta¬ 
tions  are  now  utilizing  off-the-shelf  operat¬ 
ing  systems  such  as  Microsoft  or  Unix.  And 
some  plants  even  connect  their  manufacturing 
systems  using  wireless  communications 
devices.  So  the  applications  themselves  are 
proprietary  and  not  compatible  with  standard 
infosec  tools— but  the  OSs  and  communica¬ 
tion  protocols  are  wade  open. 

On  the  practice  side,  Weiss  notes  that 
cybersecurity  procedures  widely  accepted  as 
best  practices,  such  as  ISO  17799,  actually 
include  steps  that  can  be  disastrous  when 
applied  to  control  systems.  An  example:  If  an 
employee  mistypes  his  password  three  times, 
a  common  practice  is  to  lock  that  access 
account  until  management  can  review  the  sit¬ 
uation  to  make  sure  a  hacker  isn’t  flailing  away 
with  a  password-guessing  program.  But  if  that 
employee  is  in  fact  a  console  operator  who 
needs  to  shut  a  stuck  valve  in  a  hazmat  man¬ 
ufacturing  operation,  the  lockout  can  create 
havoc.  Similarly,  Weiss  says  that  requiring 
console  operators  to  frequently  change  pass¬ 
words,  and  use  hard-to-remember  strings,  is 
another  ingredient  in  a  recipe  for  failure. 

At  most  chemical  and  other  manufacturing- 
companies,  Weiss  adds,  the  IT  group  is 
responsible  for  information  security  but 
doesn’t  understand  control  systems.  And  the 
operations  group  is  responsible  for  control 
systems  but  not  for  security.  Result:  The 
whole  issue  falls  through  the  cracks. 


The  industry’s  combined  initiatives  will 
include  steps  to  ensure  that  process  control 
systems  are  secure.  Initiatives  such  as  the 
forum  are  aiming  to  include  not  only  infor¬ 
mation  security  experts  but  people  who  under¬ 
stand  process  control  systems.  There  are 
standards  and  other  organizations  devoting 
efforts  to  secure  control  systems.  For  example, 
the  Chemical  Industry  Data  Exchange  trade 
association  is  participating  in  the  Instrumen¬ 
tation,  Systems,  and  Automation  Society  (ISA) 
process  controls  cybersecurity  committee  ISA- 
SP99-  Meanwhile,  technology  solutions  are 
also  needed.  Weiss  says  the  U.S.  Department 
of  Energy,  through  the  National  SCADA  Test 
Bed,  plans  to  develop  tools  addressing  this 
problem. 

But  where  process  control  systems  security 
is  concerned,  we’re  a  long  way  from  a  solution. 
And  that  appears  to  be  a  good  encapsulation 
of  security  in  the  chemicals  industry  at  large. 
They’re  going  after  it,  but  they’ve  still  got  a 
long  way  to  go.  ■ 


Bob  Violino  is  a  freelance  writer  based  in  Massapequa  Park, 
N.Y.  Send  feedback  to  Executive  Editor  Derek  Slater  at 
dslater@cxo.com. 


Are  Voluntary  Measures  Enough? 


In  spite  of  the  chemical  industry’s  laudable  efforts  to 
develop  security  standards,  the  feds  are  still  applying 
the  pressure.  Can  the  industry  be  trusted  to  develop  its 
own  security  policies  (and  enforce  them),  or  should  the 
government  intervene?  Type  the  DocID  number 
(above)  into  the  search  box  at  CSOonline.com  and 
post  your  comments  to  TALK  BACK. 


32  www.csoonline.com  August  2003 


If  you  think  you  know  about  securing  your  people  and  organization,  we'll  promise  one  thing. . . 


National  Summit  On  Security  •  October  1-3, 2003  •  Washington,  D.C. 


More  than  another  security  show,  the  National  Summit  on  Security  is  a  critical  gathering 
of  the  greatest  minds,  newest  technologies  and  most  eye-opening  conferences  ever 
assembled  on  physical  security  and  safety. 

The  need  for  smart  solutions  is  timely  and  real  for  both  the  private  and  governmental 
sectors.  That's  why  the  Summit  includes  up-to-the-minute  information  on  emerging  security/ 
safety  trends  and  issues. 

Also,  more  than  500  industry-leading  manufacturers  and  suppliers  of  security  products  and 
services  will  be  here.  Access  Control,  Biometrics,  CCTV,  Systems  Integration  -  it's  all  here. 

For  FREE  admission,  register  online  at  www.NationalSummitonSecurity.com  to  secure 
your  place  at  the  National  Summit  on  Security  at  the  Washington  Convention  Center  in 
Washington,  DC. 


Sponsored  By:  Produced  By: 


Reed  Exhibitions 


Proven.  S*cur*. 


X 


Corporate  Partners: 

ACJElVICa 

GROUP 


HID  CORPORATION 


©  2003  Reed  Elsevier  Inc. 


Code:  CSO 


Cover  Story 


( 


PATCH  AND  PRAY 

It’s  the  dirtiest  And 

by  SCOTT  BERINATO 

single  data  packet M» ^  ^  fee  slammer 

which  would  come  to  te  to  in  through 

worm— mfected  these  y  erate(j  a  set  of 

UDP  port  1434.  From  the  g  them  When  it 

random  IP  addlff  Klammer  infected  it  and 
found  a  vulnerable  host,  Siam  d  addresses 


34  www.csoonline.com  August  2003 


PHOTO-IUUSTRATION  BY  STEPHEN  WEBSTER 


IN  THIS  STORY:  A  definitive  account  of 
the  inherently  flawed  world  of  software 
patching  and  how  it’s  breaking'down 


* 

& 


I 


.**•1 


Slammer  was  a  nasty  bugger.  In  the  first  minute 
of  its  life,  it  doubled  the  number  of  machines  it 
infected  even  8.5  seconds.  (Just  to  put  that  in 

perspective,  back  in  July  2001,  the  Code  Red 
vims  concerned  experts  because  it  doubled 
its  infections  every  37  minutes.  Slammer 
peaked  in  just  three  minutes,  at  which  point  it  was 
scanning  55  million  targets  per  second.) 

Then,  almost  in  no  time,  Slammer  started  to 
decelerate,  a  victim  of  its  own  startling  efficiency  as  it 
bumped  into  its  own  scanning  traffic.  Still,  by  the  10- 
minute  mark,  90  percent  of  all  vulnerable  machines 
on  the  planet  were  infected.  But  when  Slammer 
subsided,  talk  focused  on  how  much  worse  it  would 
have  been  had  Slammer  hit  on  a  weekday  or,  worse, 
carried  a  destructive  payload. 

Talk  focused  on  patching.  True,  Slammer  was  the 
fastest  spreading  worm  in  history,  but  its  maniacal 
binge  occurred  a  full  six  months  after  Microsoft  had 
released  a  patch  to  prevent  it.  Those  looking  to  cast 
blame— and  there  were  many— cried  a  familiar 
refrain:  If  everyone  had  just  patched  his  system  in 
the  first  place,  Slammer  wouldn’t  have  happened. 

But  that’s  not  true.  And  therein  lies  our  story. 


August  2003  www.csoonline.com  35 


Cover  Story  |  Software  Security 


Slammer  was  unstoppable.  Which 
points  to  a  bigger  issue:  Patching  no 
longer  works.  Partly,  it’s  a  volume 
problem.  There  are  simply  too  many 
vulnerabilities  requiring  too  many 
combinations  of  patches  coming  too  fast.  Pic¬ 
ture  Lucy  and  Ethel  in  the  chocolate  factoiy— 
just  take  out  the  humor. 

But  perhaps  more  important  and  less  well 


understood,  it’s  a  process  problem.  The  cur¬ 
rent  manufacturing  process  for  patches— from 
disclosure  of  a  vulnerability  to  the  creation 
and  distribution  of  the  updated  code— makes 
patching  untenable.  At  the  same  time,  the 
only  way  to  fix  insecure  post- release  software 
(in  other  words,  all  software)  is  with  patches. 

This  impossible  reality  has  sent  patching 
and  the  newly  minted  discipline  associated 


with  it— patch  management— into  the  realm 
of  the  absurd.  More  than  a  necessary  evil,  it 
has  become  a  mandatory  fool’s  errand. 

Hardly  surprising,  then,  that  philosophies 
on  what  to  do  next  have  bifurcated.  Depend¬ 
ing  on  whom  you  ask,  it’s  either  time  to  patch 
less— replacing  the  process  with  vigorous  best 
practices  and  a  little  bit  of  risk  analysis— or  it’s 
time  to  patch  more— by  automating  the 


Patches  put  Bob 
Wynn,  CISO  of  the 
state  of  Georgia, 
‘between  a  rock  and  a 
hard  place,”  he  says. 
“I  can’t  automatically 
deploy  a  patch.  And  I 
don’t  have  the  time  to 
test  it  either.” 


36  www.csoonline.com  August  2003 


PHOTO  BY  STAN  KAADY 


process  with,  yes,  more  software. 

“We’re  between  a  rock  and  a  hard  place,” 
says  Bob  Wynn,  CISO  of  the  state  of  Georgia. 
“No  one  can  manage  this  effectively.  I  can’t 
just  automatically  deploy  a  patch.  And 
because  the  time  it  takes  for  a  virus  to  spread 
is  so  compressed  now,  I  don’t  have  time  to 
test  them  before  I  patch  either.” 

With  patching,  the  only  certainty  is  that 
CISOs  will  bear  the  costs  of  bringing  order  to 
the  intractable.  In  this  penny-pinching  era, 
other  C-level  executives  are  bound  to  ask  the 
CISO  why  this  is  necessary,  at  which  point 
someone’s  gonna  have  some  ’splaining  to  do. 

THE  LEARNED  ART 

Patching  is,  by  most  accounts,  as  old  as  soft¬ 
ware  itself.  Unique  among  engineered  arti¬ 
facts,  software  is  not  beholden  to  the  laws  of 


software  continues  to  find  itself  running  ever¬ 
more  critical  business  functions,  where  its  fail¬ 
ure  carries  profound  implications.  In  other 
words,  right  when  quality  should  be  getting 
better,  it’s  getting  exponentially  worse. 

Stitching  patches  into  these  complex  sys¬ 
tems,  which  sit  within  labyrinthine  networks 
of  similarly  complex  systems,  makes  it  impos¬ 
sible  to  know  if  a  patch  will  solve  the  problem 
it’s  meant  to  without  creating  unintended  con¬ 
sequences.  One  patch,  for  example,  worked 
fine  for  everyone— except  the  unlucky  users 
who  happened  to  have  a  certain  Compaq  sys¬ 
tem  connected  to  a  certain  RAID  array  with¬ 
out  certain  updated  drivers.  In  which  case  the 
patch  knocked  out  the  storage  array. 

Tim  Rice,  network  systems  analyst  at  Duke 
University,  was  one  of  the  unlucky  ones.  “If 
you  just  jump  in  and  apply  patches,  you  get 


mandate  slx  weeks  of  regression  testing  before 
a  patch  goes  live.  Third-party  vendors  often 
take  months  after  a  patch  is  released  to  certify 
that  it  won’t  break  their  applications. 

All  of  which  makes  the  post-outbreak 
admonishing  to  “Patch  more  vigilantly”  far¬ 
cical  and,  probably  to  some,  offensive.  It’s  the 
complexity  and  fragility,  not  some  inherent 
laziness  or  sloppy  management,  that  explains 
why  Slammer  could  wreak  such  havoc  185 
days  after  Microsoft  released  a  patch  for  it. 

“We  get  hot  fixes  everyday,  and  we’re  loath 
to  put  them  in,”  says  Frank  Clark,  senior  vice 
president  and  CIO  of  Covenant  Health  Care, 
whose  six-hospital  network  was  knocked  out 
when  Slammer  hit,  causing  doctors  to  revert 
to  paper-based  care.  “We  believe  it’s  safer  to 
wait  until  the  vendor  certifies  the  hot  fixes  in 
a  service  pack.” 


actually  create  more  DrojSem^  and  tfiey just  shift 
you  from  one  vulnerability  cycle  to  another. 

-BOB  WYNN,  CISO  OF  THE  STATE  OF  GEORGIA 


physics  in  that  it  can  endure  fundamental 
change  relatively  easily  even  after  it’s  been 
“built.”  Automobile  engines  don’t  take  to  pis¬ 
ton  redesigns  post-manufacture  nearly  so  well. 

This  unique  element  of  software  has  con¬ 
tributed  to  (though  is  not  solely  responsible 
for)  the  software  engineering  culture,  which 
generally  regards  quality  and  security  as 
obstacles.  An  adage  among  programmers  sug¬ 
gests  that  when  it  comes  to  software,  you  can 
pick  only  two  of  three:  speed  to  market,  num¬ 
ber  of  features,  level  of  quality.  Programmer’s 
egos  are  wrapped  up  in  the  first  two;  rarely  do 
they  pick  the  third  (since,  of  course,  software 
is  so  easily  repaired  later,  by  someone  else). 

Such  an  approach  has  never  been  more 
feckless.  Software  today  is  massive  (Windows 
XP  contains  45  million  lines  of  code)  and  the 
rate  of  sloppy  coding  (10  to  20  errors  per 
1,000  lines  of  code)  has  led  to  thousands  of 
vulnerabilities.  CERT  published  4,200  new 
vulnerabilities  last  year— that’s  3,000  more 
than  it  published  three  years  ago.  Meanwhile, 


nailed,”  he  says.  “Patching  is  a  learned  art. 
You  can  set  up  six  different  systems  the  same 
way,  apply  the  same  patch  to  each,  and  get  one 
system  behaving  differently.” 

Raleigh  Burns,  security  administrator  at  St. 
Elizabeth’s  Medical  Center,  agrees.  “Execu¬ 
tives  think  this  stuff  has  a  Mickey  Mouse  GUI, 
but  even  chintzy  patches  are  complicated.” 

The  conventional  wisdom  is  that  when  you 
implement  a  patch,  you  improve  things.  But 
Wynn  isn’t  convinced.  “We’ve  all  applied 
patches  that  put  us  out  of  service.  Plenty  of 
patches  actually  create  more  problems— they 
just  shift  you  from  one  vulnerability  cycle  to 
another,”  he  says.  “It’s  still  consumer  beware.” 

Yet  for  many  who  haven’t  dealt  directly 
with  patches,  there’s  a  sense  that  patches  are 
simply  click-and-fix.  In  reality,  they’re  often 
patch-and-pray.  At  the  very  least,  they  require 
testing.  Some  financial  institutions,  says 
Shawn  Hernan,  team  leader  for  vulnerability 
handling  in  the  CERT  Coordination  Center  at 
the  Software  Engineering  Institute  (SEI), 


On  the  other  hand,  if  Clark  had  deployed 
every  patch  he  was  supposed  to,  nothing 
would  have  been  different.  He  would  have 
been  knocked  out  just  the  same. 

PROCESS  HORRIBILIS 

Slammer  neatly  demonstrates  everything 
that’s  wrong  with  manufacturing  software 
patches.  It  begins  with  disclosure  of  the  vul¬ 
nerability,  which  happened  in  the  case  of 
Slammer  in  July  2002,  when  Microsoft  issued 
patch  MS02-039-  The  patch  steeled  a  file 
called  ssnetlib.dll  against  buffer  overflows. 

“Disclosure  basically  gives  hackers  an  attack 
map,”  says  Gary  McGraw,  CTO  of  Cigital  and 
the  author  of  Building  Secure  Software.  “Sud¬ 
denly  they  know  exactly  where  to  go.  1 1  it’s 
true  that  people  don’t  patch— and  they  don’t— 
disclosure  helps  mostly  the  hackers.’ 

Essentially,  disclosure’s  a  starter’s  gun. 
Once  it  goes  off,  it’s  a  footrace  between  hack¬ 
ers  (who  now  know  what  file  to  exploit)  and 
everyone  else  (who  must  all  patch  their  sys- 


August  2003  www.csoonline.com  37 


Cover  Story  |  Software  Security 


terns  successfully).  The  good  guys  never  win 
this  race.  Someone  probably  started  working 
on  a  worm  into  ssnetlib.dll  when  Microsoft 
released  MS02-039,  or  shortly  thereafter. 

In  the  case  of  Slammer,  Microsoft  built 
three  more  patches  in  2002— MS02-043  in 
August,  MS02-056  in  early  October  and 
MS02-061  in  mid-October— for  related  SQL 
Server  vulnerabilities.  MS02-056  updated 
ssnetlib.dll  to  a  newer  version;  otherwise,  all 
of  the  patches  played  together  nicely. 

Then,  on  October  30,  Microsoft  released 
Q317748,  a  nonsecurity  hot  fix  for  SQL  Server. 
Q317748  repaired  a  performance-degrading 
memory  leak.  But  the  team  that  built  it  had 
used  an  old,  vulnerable  version  of  ssnetlib.dll. 
When  Q317748  was  installed,  it  could  over- 
wrrite  the  secure  version  of  the  file  and  thus 


Ironically,  maintenance  programmers  write 
patches  using  the  same  software  development 
methodologies  employed  to  create  the  inse¬ 
cure,  buggy  code  they  ostensibly  set  out  to  fix. 
Imagine  that  10  people  are  taught  to  swim 
improperly,  and  one  guy  goes  in  the  water 
and  starts  to  drown.  Do  you  want  to  rely  on 
the  other  nine  to  jump  in  and  save  him? 

From  this  patch  factory  comes  a  poorly 
written  product  that  can  break  as  much  as  it 
fixes.  For  example,  an  esoteric  flaw  found  last 
summer  in  an  encryption  program— one  so 
arcane  it  might  never  have  been  exploited— 
was  patched.  The  patch  itself  had  a  gaping 
buffer  overflow  written  into  it,  and  that  was 
quickly  exploited,  says  Hernan.  In  another 
case  last  April,  Microsoft  released  patch  MS03- 
013  to  fix  a  serious  vulnerability  in  Windows 


the  “surgeon  general”  at  vendor  TruSecure. 

Slammer  hit  at  a  particularly  dynamic 
moment:  Microsoft  had  released  Service 
Pack  3  for  SQL  Server  days  earlier.  It  wasn’t 
immediately  clear  if  SP3  would  need  to  be 
patched  (it  wouldn't),  and  Microsoft  early  on 
told  customers  to  upgrade  their  SQL  Server  to 
SP3  to  escape  the  mess. 

Meanwhile,  those  trying  to  use  MS02-061 
were  struggling  mightily  with  its  kludginess, 
and  those  who  had  patched— but  got  infected 
and  watched  their  bandwidth  sucked  down 
to  nothing— were  baffled.  At  the  same  time,  a 
derivative  SQL  application  called  MSDE 
(Microsoft  Desktop  Engine)  was  causing  sig¬ 
nificant  consternation.  MSDE  runs  in  client 
apps  and  connects  them  back  to  the  SQL 
Server.  Experts  assumed  MSDE  would  be  vail- 


“By  late  Sunday  afternoon,  Microsoft  had  tw( 
in  one  room  figuring  out  what  to  say  to  customers 
room  trying  to  figure  out  how  to  repackage  the 


make  that  server  as  vulnerable  to  a  worm  like 
Slammer  as  one  that  had  never  been  patched. 

“As  bad  as  software  can  be,  at  least  when  a 
company  develops  a  product,  it  looks  at  it  holis¬ 
tically,”  says  SEI’s  Hernan.  “It’s  given  the  atten¬ 
tion  of  senior  developers  and  architects,  and  if 
quality'  metrics  exist,  that’s  when  they’re  used.” 

And  then  there  are  patches. 

Patch  writing  is  appropriated  to  entry-level 
maintenance  programmers,  says  Hernan. 
They  fix  problems  where  they’re  found.  They 
have  no  authority  to  look  for  recurrences  or  to 
audit  code.  And  the  patch  coders  face  severe 
time  constraints— remember  there’s  a  footrace 
on.  They  don’t  have  time  to  communicate  with 
other  groups  writing  other  patches  that  might 
conflict  with  theirs.  (Not  that  they’re  set  up 
to  communicate.  Russ  Cooper,  who  man¬ 
ages  NTBugtraq,  the  Windows  vulnerability 
mailing  list,  says  companies  often  divide 
maintenance  by  product  group  and  let  them 
develop  their  own  tools  and  strategies  for 
patching.)  There’s  little,  if  any,  testing  of 
patches  by  the  vendors  that  create  them. 


XP.  On  some  systems,  it  also  degraded  per¬ 
formance,  by  roughly  90  percent.  The  per¬ 
formance  degradation  required  another  patch, 
which  wasn’t  released  for  a  month. 

Slammer  feasted  on  such  methodological 
deficiencies.  It  infected  both  servers  made  vul¬ 
nerable  by  conflicting  patches  and  severs  that 
were  never  patched  at  all  because  the  SQL 
patching  scheme  was  kludgy.  These  particular 
patches  required  scripting,  file  moves,  and 
registry  and  permission  changes  to  install. 
(After  the  Slammer  outbreak,  even  Microsoft 
engineers  struggled  with  the  patches.)  Many 
avoided  the  patch  because  they  feared  break¬ 
ing  SQL  Server,  one  of  their  critical  platforms. 
It  was  as  if  their  car  had  been  recalled  and  the 
automaker  mailed  them  a  transmission  with 
installation  instructions. 

CONFUSION  ABOUNDS 

The  initial  reaction  to  Slammer  was  confu¬ 
sion  on  a  Keystone  Kops  scale.  “It  was  difficult 
to  know  just  what  patch  applied  to  what  and 
where,”  says  NTBugtraq’s  Cooper,  who’s  also 


nerable  to  Slammer  since  all  of  the  patches 
had  applied  to  both  SQL  and  MSDE  users. 

That  turned  out  to  be  true,  and  Cooper 
remembers  a  sense  of  dread  as  he  realized 
MSDE  could  be  found  in  about  130  third- 
party  applications.  It  runs  in  the  background; 
many  corporate  administrators  wouldn’t  even 
know  it’s  there.  Cooper  found  it  in  half  of 
TruSecure’s  clients.  In  fact,  at  Beth  Israel  Dea¬ 
coness  Hospital  in  Boston,  MSDE  had  caused 
an  infestation  although  the  network  SQL 
Servers  had  been  patched.  But  that’s  another 
story  for  another  time. 

When  customers  arrived  at  work  on  Mon¬ 
day  and  booted  up  their  clients,  which  in  turn 
loaded  MSDE,  Cooper  worried  that  Slammer 
would  start  a  re-infestation,  or  maybe  it  would 
spawn  a  variant.  No  one  knew  what  would 
happen.  And  while  patching  thousands  of 
SQL  Servers  is  one  thing,  finding  and  patch¬ 
ing  millions  of  clients  with  MSDE  running  is 
another  entirely.  Still,  Microsoft  insisted,  if 
you  installed  SQL  Server  SP3,  your  MSDE 
applications  would  be  protected. 


38  www.csoonline.com  August  2003 


It  seemed  like  reasonable  advice. 

Then  again,  companies  take  more  than  a 
week  to  stick  a  service  pack  into  a  network. 
After  all,  single  patches  require  regression 
testing  and  service  packs  are  hundreds  of 
security  patches,  quality  fixes  and  feature 
upgrades  rolled  together.  In  a  crisis,  upgrad¬ 
ing  a  sendee  pack  that  was  days  old  wasn’t 
reasonable.  Cooper  soon  learned  that  Best 
Software’s  MAS  500  accounting  software 
wouldn’t  run  with  Service  Pack  3.  MAS  500 
users  who  installed  SP3  to  defend  against 
Slammer  had  their  applications  fall  over.  They 
would  have  to  start  over  and  reformat  their 
machines.  All  the  while  everyone  was  trying  to 
beat  Slammer  to  the  workweek  to  avoid  a 
severe  uptick  in  Slammer  infections  when  mil¬ 
lions  of  machines  worldwide  were  turned  on 


issue  around  whether  vendors  are  hyping 
minor  vulnerabilities  in  order  to  associate 
themselves  with  the  discovery  of  a  vulnera¬ 
bility— yet  another  story  for  another  day).  Dis¬ 
tribution  might  be  automated  or  manual;  and 
installation  could  be  a  double-click  .exe  file 
or  a  manual  process. 

Microsoft  alone  uses  a  hierarchy  of  eight 
different  patching  mechanisms  (the  company 
says  it  wants  to  reduce  that  number).  But  that 
only  adds  to  more  customer  confusion. 

“How  do  I  know  when  I  need  to  reapply  a 
security  roll-up  patch?  Do  I  then  need  to  reap¬ 
ply  Win2K  Service  Pack  2?  Do  I  need  to  re¬ 
install  hot  fixes  after  more  recent  SPs?” 
Similar  questions  were  posed  to  a  third-party 
services  company  in  a  security  newsletter.  The 
answer  was  a  page-and-a-half  long. 


but  Slammer  has  become  something  of  a  turn¬ 
ing  point.  The  fury  of  its  10-minute  confla¬ 
gration  and  the  ensuing  comedy  of  a  gaggle  of 
firefighters  untangling  their  hoses,  rushing  to 
the  scene  and  finding  that  the  building  burnt 
down  left  enough  of  an  impression  to  con¬ 
vince  many  that  patching,  as  currently  prac¬ 
ticed,  really  doesn’t  work. 

“Something  has  to  happen,”  says  Rambus. 
“There’s  going  to  be  a  backlash  if  it  doesn’t 
improve.  I’d  suggest  that  this  patching  prob¬ 
lem  is  the  responsibility  of  the  vendors,  and 
the  costs  are  being  taken  on  by  the  customers.” 

There’s  good  news  and  bad  news  for  Ram¬ 
bus.  The  good  news  is  that  vendors  are  moti¬ 
vated  to  try  and  fix  the  patch  process.  And 
they’re  earnest— one  might  say  even  reli¬ 
gious— about  their  competing  approaches. 


*ooms  set  up  on  campus.  Services  guys  are 
1  security  response  team  is  in  the  other 
rntches  and  do  technical  damage  control.” 

-RUSS  COOPER  OF  TRUSECURE  AND  NTBUGTRAQ 


or  otherwise  exposed  to  the  worm  that,  over 
the  weekend,  remained  blissfully  dormant. 

“By  late  Sunday  afternoon,  Microsoft  had 
two  rooms  set  up  on  campus,”  says  Cooper. 
“Services  guys  are  in  one  room  figuring  out 
what  to  say  to  customers.  A  security  response 
team  is  in  the  other  room  trying  to  figure  out 
how  to  repackage  the  patches  and  do  techni¬ 
cal  damage  control. 

“I’m  on  a  cell  phone,  and  there’s  a  guy  there 
running  me  between  the  two  rooms.”  Cooper 
laughs  at  the  thought  of  it. 

REPEAT  MISTAKES 

As  the  volume  and  complexity  of  software 
increases,  so  does  the  volume  and  complexity 
of  patches.  The  problem  with  this,  says  SEI’s 
Hernan,  is  that  there’s  nothing  standard  about 
the  patch  infrastructure  or  managing  the 
onslaught  of  patches. 

There  are  no  standard  naming  conventions 
for  patches;  vulnerability  disclosure  comes 
from  whatever  competitive  vendor  can  get  the 
news  out  there  first  (which  creates  another 


There’s  also  markedly  little  record-keeping 
or  archiving  around  patches,  leaving  vendors 
to  make  the  same  mistakes  over  and  over 
without  building  up  knowledge  about  when 
and  where  vulnerabilities  arise  and  how  to 
avoid  them.  For  example,  Apple’s  Safari  Web 
browser  contained  a  significant  security  flaw 
in  the  way  it  validated  certificates  using  SSL 
encryption,  which  required  a  patch.  Every 
browser  ever  built  before  Safari,  Hernan  says, 
had  contained  the  same  flaw. 

“I’d  like  to  think  there’s  a  way  to  improve 
the  process  here,”  says  Mykolas  Rambus,  CIO 
of  financial  services  company  WP  Carey.  “It 
would  take  an  industry  body— a  nonprofit 
consortium-type  setup— to  create  standard 
naming  conventions,  to  production  test  an 
insane  number  of  these  things,  and  to  keep  a 
database  of  knowledge  on  the  patches  so  I 
could  look  up  what  other  companies  like  mine 
did  with  their  patching  and  what  happened.” 

Rambus  doesn’t  sound  hopeful. 

There  won’t  be  a  formal  announcement  of 
the  fact,  and  no  one  really  planned  it  this  way, 


And  the  fervent  search  for  a  cure  has  intensi¬ 
fied  markedly  since  Slammer. 

The  bad  news  is  that  it’s  not  clear  either 
approach  will  work.  And  even  if  one  does, 
none  of  what’s  happening  changes  the  eco¬ 
nomics  of  patching.  Customers  still  pay. 

MORE  OR  LESS 

There  are  two  emerging  and  opposite  patch 
philosophies:  Either  patch  more,  or  patch  less. 

Vendors  in  the  Patch  More  school  have, 
almost  overnight,  created  an  entirely  new  class 
of  software  called  patch  management  soft¬ 
ware.  The  term  means  different  things  to 
different  people  (already  one  vendor  has  con¬ 
cocted  a  spinoff,  “virtual  patch  management”), 
but  in  general,  PM  automates  the  process  oi 
finding,  downloading  and  applying  patch* 
Patch  More  adherents  believe  patching  isn  t 
the  problem,  but  that  manual  patching  is. 
Perfunctory  checks  for  updates  and  auto¬ 
mated  deployment,  checks  for  conflicts,  roll 
back  capabilities  (in  case  there  is  a  conflict) 
will,  under  the  Patch  More  school  of  thought, 


August  2003  www.csoonline.com  39 


Cover  Story  |  Software  Security 


fix  patching.  PM  software  can  keep  machines 
as  up-to-date  as  possible  without  the  possi¬ 
bility  of  human  error. 

The  CISO  at  a  major  convenience  store 
retail  chain  says  it’s  already  working.  “Patch¬ 
ing  was  spiralling  out  of  control  until  recently,” 
he  says.  “Before,  we  knew  we  had  a  problem 
because  of  the  sheer  volume  of  patches.  We 
knew  we  were  exposed  in  a  handful  of  places. 
The  update  services  coming  now  from 
Microsoft,  though,  have  made  the  situation 
an  order  of  magnitude  better.” 

Duke  University’s  Rice  tested  patch  man¬ 
agement  software  on  550  machines.  When 
the  application  told  him  he  needed  10,000 
patches,  he  wasn’t  sure  if  that  was  a  good 
thing.  “Obviously,  it’s  powerful,  but  automa¬ 
tion  leaves  you  open  to  automatically  putting 
in  buggy  patches.”  Rice  might  be  thinking  of 
the  patch  that  crashed  his  storage  array  on  a 
Compaq  server.  “I  need  automation  to  deploy 
patches,”  he  says.  “I  do  not  want  automated 
patch  management.” 

The  Patch  Less  constituency  is  best  repre¬ 
sented  by  Peter  Tippett,  vice  chairman  and 
CTO  of  TruSecure.  Tippett  is  fanatical  about 
patching’s  failure.  Based  on  12  years  of  actu¬ 
arial  data,  he  says  that  only  about  2  percent  of 
vulnerabilities  result  in  attacks.  Therefore, 
most  patches  aren’t  worth  applying.  In  risk 
management  terms,  they’re  at  best  superflu¬ 
ous  and,  at  worst,  a  significant  additional  risk. 

Instead,  Tippett  says,  improve  your  security 
policy— lock  down  ports  such  as  1434  that  really 
had  no  reason  to  be  open— and  pay  third  parties 
to  figure  out  which  patches  are  necessary  and 
which  ones  you  can  ignore.  “More  than  half  of 
Microsoft’s  72  major  vulnerabilities  last  year 
will  never  affect  anyone  ever,”  says  Tippett. 
“With  patching,  we’re  picking  the  worst  possi¬ 
ble  risk-reduction  model  there  is.” 

Tippett  is  at  once  professorial  and  con¬ 
stantly  selling  his  own  company’s  ability  to 
provide  the  services  that  make  patching  less 
viable.  But  many  thoughtful  security  leaders 
think  Tippett’s  approach  is  as  flawed  and  dan¬ 
gerous  as  automated  patch  management. 

“There’s  no  place  for  that  kind  of  thinking, 
to  patch  less,”  says  St.  Elizabeth’s  Burns.  “As 
soon  as  an  exploit  takes  advantage  of  an 
unknown  vulnerability— and  one  will— those 
guys  will  be  scratching  their  heads.  He’s  using 
old-school  risk  analysis.  How  can  you  come  up 


with  an  accurate  probability  matrix  on 
blended  threat  viruses  using  12  years  of  data 
when  they’ve  only  been  around  for  two  years?” 

Add  to  this  a  sort  of  emotional  inability  to 
not  patch— sort  of  like  forgetting  to  put  on 
your  watch  and  feeling  naked  all  day.  Several 
CISOs  described  an  illogical  pull  to  patch, 
even  if  the  risk  equation  determined  that  less 
patching  is  equally  or  even  more  effective. 

There’s  also  an  emerging  hybrid  approach— 
which  combines  the  patch  management  soft¬ 
ware  with  expertise  and  policy  management. 
It  also  combines  the  costs  of  paying  smart 


Scary  Patch  Stats 


Intel  last  year  applied  2.4  million 
patches  to  its  own  network. 

One  CISO  scanned  470  machines  with 
patch  management  software,  which 
told  him  to  apply  3,000  patches. 

Researching  each  of  the  4,200  vulner¬ 
abilities  published  by  CERT  last  year 
for  10  minutes  would  have  required 
one  staffer  to  research  for  17.5  full 
workweeks,  or  700  hours. 

A  company  with  100,000  IP  addresses 
is  subject  to  2.3  million  vulnerabil¬ 
ity  probes  per  day. 

SOURCES:  INTEL  WHITE  PAPER.  REPORTING,  CERT,  ICSA  LABS 

people  to  know  your  risks  while  also  investing 
in  new  software. 

“There’s  a  huge  push  right  when  P&L  cap¬ 
tains  are  telling  CISOs  to  keep  costs  down,” 
says  Hernan.  That  might  explain  why  the 
executive  security  ranks  are  far  less  enamored 
by  the  Patch  Less/Patch  More  philosophies. 
The  polar  approaches  haven’t  yet  spurred 
CISOs  to  take  sides  so  much  as  they’ve  flum¬ 
moxed  them.  Ambivalent  confusion  reigns. 

Hernan  says,  “I  can  understand  the  frus¬ 
tration  that  can  lead  to  the  attitude  of,  ‘Forget 
it,  I  can’t  patch  everything,’  but  that  person’s 
taking  a  big  chance.  On  the  other  hand,  he’s 
also  taking  a  big  chance  applying  a  patch.” 

“I  don’t  have  much  faith  in  automated 
patching  schemes,”  says  Rambus.  “But  I  could 
be  convinced.” 

Georgia’s  Wynn  is  ambivalent  too.  “If  you 


think  patch  management  is  a  cure,  you’re  mis¬ 
taken.  Think  of  it  as  an  incremental  improve¬ 
ment.  I  have  to  take  a  theory  of  the  middle 
range,”  he  says  vaguely. 

POSTSCRIPT 

On  Monday  after  Slammer  hit,  Microsoft  re- 
released  MS02-061  to  cover  up  the  memory 
leak  and  update  ssnetlib.dll,  and  it  was  much 
easier  to  install.  Of  course,  by  then,  Slammer 
was  already  pandemic.  Microsoft  itself  was 
infected  badly,  prompting  a  moment  of 
schadenfreude  for  many.  ISP  networks  had 
collapsed;  several  root  DNS  servers  were  over¬ 
whelmed;  airlines  had  canceled  flights;  ATM 
machines  refused  to  hand  out  money.  In 
Canada,  a  national  election  was  delayed. 

Aiid  after  all  that,  the  patches  had,  at  best, 
a  miniscule  mitigating  effect  against  Slam¬ 
mer.  What  ended  up  preventing  Slammer 
from  worming  its  way  into  the  workweek  and 
causing  even  more  damage,  it  turns  out,  was 
a  rare  and  unusual  gesture  by  ISPs.  That  same 
Monday,  they  agreed  to  cooperatively  block 
Internet  traffic  on  UDP  port  1434,  the  one 
Slammer  used  to  propagate  itself.  “That’s  what 
allowed  us  to  survive,”  says  Cooper. 

And  surely,  with  ISPs  blocking  the  door, 
companies  would  seize  the  opportunity  to 
update,  test  and  deploy  the  new  patches.  Or, 
if  they  felt  up  to  it,  they  could  upgrade  to  Ser¬ 
vice  Pack  3.  They  could  use  the  time  to  locate 
and  patch  all  of  their  MSDE  clients  and,  once 
and  for  all,  kill  Slammer  dead. 

Ten  days  later,  when  ISPs  opened  port  1434 
again,  sure  enough,  there  was  a  spike  in 
Slammer  infections  of  SQL  Servers.  Six 
months  later,  in  mid- July,  as  this  story  went  to 
press,  the  Wormwatch.org  listener  service 
showed  Slammer  remained  the  most  preva¬ 
lent  worm  in  the  wild,  twice  as  common  as  any 
other  worm.  It  was  still  trolling  for,  and  find¬ 
ing,  unpatched  systems  to  infect.  ■ 

Senior  Editor  Scott  Berinato  can  be  reached  via  e-mail  at 
sberinatoficxo.com. 


Tell  Us  What  You  Think 

Do  patches  cause  more  problems  than  they  solve?  Share 
your  stories  with  us.  Type  the  DocID  number  (above) 
into  the  search  box  at  www.csoonline.com  and  post 
your  comments  online. 


40  www.csoonline.com  August  2003 


Is  Your  Security  Alert  Service 
Biased  or  Independent? 


My  security  alert  service  provider  is  really 
a  major  security  product  vendor: 

Q  Yes  [_J  No 

My  security  alert  service  provider  publishes  a  magazine  that 
sells  advertising  to  major  security  product  vendors: 

Q  Yes  Q  No 

My  security  alert  service  provider 
is  independent  and  unbiased: 

Q  Yes  Q  No 


No  censorship.  No  delays.  No  sugar  coating. 

i^Sjsicurity  ® 

tracker 

Keep  Track  of  the  Latest  Vulnerabilities  and  Threats 

1-8BB-241-3895 


http  : //sec  unity  tracker,  com/c  so 


..V:  ? ,,» 


Health  officials  are  working  toward  a  sophisticated 
IT  network  that  could  detect  the  early  warning  signs 
of  bioterrorism,  but  formidable  obstacles  remain 

ily  Sarah  D.  Scalet 


At  first,  bioterrorism— whether  it’s  inhalation  anthrax,  small¬ 
pox,  pneumonic  plague  or  something  else  entirely— will  prob¬ 
ably  feel  like  the  flu.  You’ll  be  miserable,  but  you  probably 
won’t  be  alarmed.  You’ll  go  to  your  local  drugstore,  clinic, 
maybe  an  emergency  room.  Doctors  in  one  place  or  another 
might  notice  a  small  uptick  in  patients  with  flulike  symptoms. 
But  no  one  will  see  the  pattern.  Until  people  start  dying. 

That  is,  unless  a  sophisticated  computer  network  could 
transmit  and  integrate  patient  information  in  real-time  so 


IN  THIS  STORY:  Why  IT  is  so 

crucial  to  bioterrorism  response 
and  detection  *  Why  the 
biggest  barrier  to  disease  sur¬ 
veillance  is  at  the  local  level 
How  new  detection  systems 
could  lay  the  groundwork  for 
electronic  medical  records 


42  www.csoonlme.com  August  2003 

J.$VS.T  ?  ’  V .  YV  '1  ' 


ILLUSTRATION  BY  RICHARD  BORGE 


^  ^ .-*11  1 

V  Jffi 

I  •  !f 

10 

1  j  -1 

•  - 1/4 

{  la 

1  i  'a 
i  iJI 

1  i3:-M 

I  H 

|p 

1^;’^ 

R 

JJ 

*Q| 

'\jm  p 

W i  ‘  Jk  ^r»jt 1 

Ifr- *■ ■'  ^ 

Ss 

f  MKt 

/  J 

£ 

■  A  ji-'jL jbj-T 

.:= 

sS  4\  v  Sfek. 

-  >35fc. 

1  ~ 

Bioterrorism 


that  health  officials  could  see  what  was  hap¬ 
pening  across  hundreds,  if  not  thousands,  of 
facilities.  And  that’s  just  what  legions  of  tech¬ 
nologists  and  clinicians  in  public  health 
departments,  hospitals,  laboratories  and  phar¬ 
macies  are  trying  to  develop  right  now. 

“The  systems  are  being  defined  and  created 
as  we  speak,”  says  Rosemary  Nelson,  chair¬ 
man  of  National  Preparedness  and  Response, 
a  new  bioterrorism  task  force  created  by  the 
Healthcare  Information  Management  and  Sys¬ 
tems  Society  (HIMSS).  If  such  a  network 
existed,  health  officials  could  sound  the  alarm 
in  that  precariously  short  window  of  time  when 
the  spread  of  the  disease  could  be  stopped. 

The  system  could  be  information  technol¬ 
ogy’s  finest  hour,  saving  lives  as  well  as  money. 
Even  without  a  bioterrorism  attack,  a  surveil¬ 
lance  system  would  be  useful  in  detecting  the 
early  stages  of  any  disease,  such  as  the  recent 
outbreak  of  the  mysterious  ailment  called 
SARS,  or  severe  acute  respiratory  syndrome. 
Such  a  system  could  also  help  lay  the  ground¬ 
work  for  a  long-desired  standardization  of 
electronic  medical  records,  which  would  sig¬ 
nificantly  reduce  errors  in  patient  care  and 
save  substantial  amounts  of  time  and  money. 

But  if  the  pieces  don’t  come  together— or  if 
they  do  but  in  the  process  erode  the  concept  of 
patient  confidentiality— then  that  could  be 
IT’s  greatest  failure. 

“[Technology]  has  so  much  potential  use  in 
bioterrorism  and  health  care,  but  the  word  is 
potential says  Dr.  Eduardo  Ortiz,  a  senior  fel¬ 
low  with  the  Agency  for  Health  Care  Research 
and  Quality  at  the  U.S.  Department  of  Health 
and  Human  Services,  which  in  August  2002 
released  a  354-page  report  about  how  IT 
could  be  used  for  bioterrorism  preparedness 
and  response.  “We’re  not  there  yet;  we’re  not 
even  close,”  he  says. 

Since  the  anthrax  attacks  in  Connecticut, 
Florida,  New  York  and  Washington,  D.C.,  def¬ 
inite  progress  has  been  made  in  creating  an 
effective  early  warning  system  for  bioterror¬ 
ism.  But  wildly  disparate  computer  systems, 
disconnected  and  often  overlapping  projects, 
and  a  lack  of  industry  standards  still  stand  in 
the  way  of  creating  the  kind  of  network  that 
can  save  lives. 

In  late  January,  HHS  Secretary  Tommy 
Thompson  unveiled  a  $3.5  million  command 
center  in  Washington,  D.C.  Seeking  to  reas¬ 


sure  a  public  nervous  about  biological  and 
chemical  attacks,  Thompson  explained  that 
this  new  command  post  would  let  him  coor¬ 
dinate  the  response  to  a  bioterrorist  attack 
and  bring  together  everyone  from  the  CIA  to 
the  Centers  for  Disease  Control  and  Preven¬ 
tion  (CDC),  which  is  part  of  HHS.  As  CNN 
cameras  filmed  a  wall  of  video  screens  24  feet 
wide  and  7  feet  tall,  correspondent  Wolf 
Blitzer  told  viewers  that  they  were  witness¬ 
ing  “how  your  life  could  be  saved.” 

It  was  all  window  dressing.  In  many  parts 
of  the  country,  the  primary  mechanism  for 
detecting  bioterrorism— or  any  epidemic— is 
still  the  cards  that  doctors  are  required  to  fill 
out  with  the  patient’s  name,  address  and  diag¬ 
nosis,  and  submit  to  local  health  departments 


▲ 


computerized 
nationwide 
network  that 
could  detect  the 
early  signs  of  a 
bioterrorism 
attack  or  disease 
outbreak  could 
be  IT’s  greatest 
success— or  its 
biggest  failure, 
if  patient 
confidentiality  is 
compromised. 


when  they  come  across  a  disease  that  poses  a 
significant  health  risk.  The  diseases  that  must 
by  law  be  reported  vary  state  to  state:  West 
Nile  in  New  York;  the  hantavirus  in  New  Mex¬ 
ico;  most  sexually  transmitted  diseases, 
everywhere.  The  root  philosophy  is  that 
doctor-patient  confidentiality  must  sometimes 
be  secondary  to  preserving  public  health.  (The 
notable  exception  to  that  rule  is  when  a 
patient  has  AIDS  or  is  HIV-positive.) 

On  a  local  level,  health  officials  use  those 
reports  to  track  treatment,  notify  others,  who 
may  have  been  infected  or  quarantine  an  indi¬ 
vidual  if  necessary.  On  a  broader  level,  epi¬ 
demiologists  look  for  disease  patterns  across 
the  city,  county,  state  or  nation,  and  alert 
health-care  practitioners  and  the  CDC  to  any¬ 
thing  unusual. 

Some  local  health  departments  have  started 
allowing  clinicians  to  submit  this  information 
electronically,  but  not  many  do.  Many  health 
departments  still  worry  about  upgrading  their 
dial-up  Internet  connections  to  broadband. 

For  doctors,  the  reporting  process  is  so 
labor  intensive  that  observers  put  the  com¬ 
pliance  rate  at  less  than  20  percent.  That 
means  that  four  times  out  of  five,  doctors 
never  even  bother  to  fill  out  a  report.  Fortu¬ 
nately,  the  laboratories  where  they  send  their 
tests  tend  to  be  more  automated  and  therefore 
more  likely  to  file  that  information  electroni¬ 
cally  with  the  public  health  department.  But 
no  one  believes  that  public  health  depart¬ 
ments  have  anywhere  near  a  complete  view  of 
what’s  going  on— regardless  of  the  bank  of 
video  screens  that  adorn  Thompson’s  com¬ 
mand  center. 

“In  retail  America,  they  long  ago  made  the 
entire  supply  chain  of  data  electronic  from 
cradle  to  grave,”  says  CDC  CIO  James  D. 
Seligman.  “The  chairman  of  Wal-Mart  can 
find  out  how  many  widgets  got  sold  an  hour 
and  a  half  ago  anywhere  in  America.  That’s 
where  we’re  trying  to  get  with  health  data— to 
enable  that  electronic  passage  of  information 
from  the  point  of  encounter,  when  a  patient 
sees  a  health-care  professional,  and  then  pass 
all  that  data  on  electronically  to  the  appro¬ 
priate  jurisdictions.” 

The  health-care  system  is  a  long  way  away 
from  that,  says  Jim  Klein,  a  vice  president 
and  research  director  for  Gartner.  Even  in 
areas  where  local  health  departments  do 


44  www.csoonline.com  August  2003 


Outbreak 

.  /•  ■■  ■  iy  •  ■  .  •-  v  .  • 

Today,  it  might  take  weeks  or  months  for  the  CDC  to  gather  sufficient  information 
to  spot  a  bioterrorist  attack.  With  a  sophisticated  IT  network,  it  would  take  just  days. 


THE  SYSTEM  TODAY  THE  SYSTEM  TOMORROW? 


2  Up  to  a  month  later: 
Doctor  scribbles  patient 
data  on  form.  Mails 
it  to  public  health 
department  at 
end  of  month. 


1  Patient 
visits  doctor. 


up  to  1  month 


2-7  davs  in  mail 


Public  health 
official  may 
request  additional 
information 
from  doctor. 


2-7  days  for  analysis 


HOSPITAL 


PUBLIC  HEALTH  DEPT. 


1  day 

V 

1A1 

r. 

1-2  days 


2-3 

DAYS 

TOTAL 


30+ 

DAYS 

TOTAL 


3  Public  health 
officials  input 
and  analyze 
patient  data  and 
then  cull  trend 
information  to 
send  to  CDC. 


CDC 


1  Patient  visits  doctor. 

2  Same  day:  Doctor 
inputs  data  in  computer. 
It’s  sent  automatically  to 
public  health  department, 


3  Software  in  public  health 
department  spots  a  possible 
outbreak  and  sends  trend 
information  to  CDC. 


4  CDC  compiles  and 
analyzes  reports  from  local 
health  departments. 

5  CDC 

announces 

outbreak. 


4  CDC  compiles 
and  analyzes  reports 
from  local  health 
departments. 


5  CDC 

announces 

outbreak. 


accept  information  electronically,  Klein  esti¬ 
mates  that  only  about  5  percent  of  hospitals 
have  fully  automated  medical  records.  That 
lack  of  automation  and  standardization  means 
that  the  disease-reporting  process  is  not  only 
spotty  but  also  slow.  A  doctor’s  office  might 
wait  until  the  end  of  the  month  to  mail  its 
stack  of  forms  to  the  local  health  department. 
From  there,  the  forms  could  take  another 
month  to  be  processed,  analyzed  and  sent  on. 

Needless  to  say,  that’s  just  not  fast  enough 
for  bioterrorist  incidents,  which  doctors  say 
they  must  respond  to  in  hours,  not  weeks. 
Anthrax  victims,  for  instance,  should  be 
treated  in  the  first  couple  of  days  after  expo¬ 
sure.  By  day  six,  when  a  person  is  sick  enough 
to  go  to  the  emergency  room,  she  might  be  too 
sick  to  be  saved. 


“Epidemiology  is  good  and  gets  you  to  dis¬ 
ease  recognition,  but  unfortunately  [the 
recognition  comes]  a  month  or  two  after  the 
information  is  worth  anything,”  says  Dr. 
Michael  Allswede,  an  emergency  room  physi¬ 
cian  and  clinical  associate  professor  at  the 
University  of  Pittsburgh  School  of  Medicine, 
who  was  also  a  U.S.  Army  medical  company 
commander  in  Desert  Storm. 

It  gets  worse.  Even  if  all  the  information 
available  about  disease  diagnoses  were  col¬ 
lected  and  analyzed  in  real-time,  that  still 
wouldn't  be  enough  to  short-circuit  a  biolog¬ 
ical  attack.  That’s  because  the  information  we 
possess  under  current  law  and  practice  is 
insufficient.  Doctors  have  no  reason  or  obli¬ 
gation  to  report  many  of  the  early  warning 
signs  of  bioterrorism— the  flulike  symptoms 


that  could  be  public  health  officials’  first  hint 
that  something  has  gone  wrong.  In  fact,  the 
Health  Insurance  Portability  and  Account¬ 
ability  Act  (HIPAA)  prevents  doctors  from 
sharing  any  kind  of  personally  identifiable 
patient  information  with  a  third  party,  except 
in  cases  when  the  public  health  departments 
need  to  know  about  a  legally  reportable  dis¬ 
ease.  In  other  words,  a  doctor  is  legally  <  li¬ 
gated  to  notify  public  health  that  a  certain 
patient  has  anthrax  but  legally  forbid.  V .  f 
notifying  public  health  that  a  spec  fie  patient 
has  the  symptoms  of  anthrax. 

Nevertheless,  a  few  local  health  depart¬ 
ments  are  starting  to  gather  symptom  infor¬ 
mation  that  could  give  early  warnings  about 
the  outbreak  of  a  disease.  But  this  “syndromic 
surveillance,”  as  it’s  known,  is  being  held  back 


INFOGRAPHIC  BY  ALBERTO  CAPOLINO 


August  2003  www.csoonlme.com  45 


Bioterrorism 


not  just  by  technological  challenges  but  by 
political  ones,  as  health-care  providers  grap¬ 
ple  with  the  line  between  trend  information— 
perhaps  including  a  patient’s  age,  gender  and 
ZIP  code  along  with  his  symptoms— and  the 
personally  identifiable  information  protected 
by  the  HIPAA  legislation. 

Tracking  Symptoms  in  New  York 

New  York  City  has  stopped  waiting  for  doctors 
to  fill  out  those  little  cards.  Instead,  the  city  is 
working  on  what  it  hopes  will  one  day  be  a 
model  of  how  to  identify  the  outbreak  of  a 
disease  in  its  earliest  stages.  More  than  two 
years  ago,  the  New  York  City  Department  of 
Health  and  Mental  Hygiene  started  gathering 
911  call  data  for  cases  involving  sickness  and 
respiratory  distress.  Then,  shortly  after  Sept. 


11,  the  department  also  began  collecting  from 
emergency  rooms  what’s  known  as  the  “chief 
complaint”  of  incoming  patients,  such  as  fever, 
nausea  or  a  persistent  cough.  This  is  the  most 
likely  health  information  to  be  entered  into  a 
computer  because  even  if  patient  case  files  are 
not  automated,  insurance  and  admittance  sys¬ 
tems  usually  are.  That  information  also  includes 
a  patient’s  age,  gender  and  ZIP  code,  but  not 
his  name,  ethnicity  or  other  personal  data. 

The  information  comes  in  to  the  NYC 
Health  Department  via  secure  FTP  once  or 
twice  a  day,  sometimes  just  in  ASCII  format, 
with  about  40  of  the  city’s  90  hospitals  par¬ 
ticipating  so  far.  “We  said,  ‘Give  us  whatever 
you  have,  and  we’ll  put  it  in  a  common  form 
for  analysis,”’  says  Ed  Carubis,  CIO  of  the  NYC 
Health  Department.  “We  didn’t  force  them  to 
use  a  certain  data  standard  or  make  them 


jump  through  hoops  because  what  we  really 
wanted  was  participation.” 

Using  that  information,  public  health  offi¬ 
cials  can  now  identify  the  start  of  flu  season 
two  weeks  before  the  trend  shows  up  in  labo¬ 
ratory  results,  allowing  them  to  get  a  jump 
on  awareness  campaigns.  The  department  has 
also  started  gathering  information  about  cer¬ 
tain  kinds  of  prescription  and  over-the- 
counter  drug  sales  (from  at  least  one  major 
pharmacy  chain)  and  absentee  rates  (from  a 
few  major  employers  in  the  city). 

Will  the  city  start  tracking  sales  of  orange 
juice  and  Kleenex  next?  Carubis  can’t  be  sure 
because  the  NYC  Health  Department  is  still 
trying  to  figure  out  how,  exactly,  to  extract 
meaning  from  pharmacy  sales  and  absentee 
rates.  (What  red  flag  goes  up  when  there’s  a 
run  on  Maalox?)  He  also  won’t  say  which 
pharmacies  or  employers  are  sharing  num¬ 
bers  with  the  city.  That  probably  has  some¬ 
thing  to  do  with  the  fact  that  this  kind  of 
system,  frankly,  gives  some  people  the  creeps. 


Kansas  City,  for  instance,  health-care  vendor 
Cerner  is  working  with  local  hospitals  to  auto¬ 
matically  send  certain  computerized  lab 
reports  to  health  departments  in  Kansas  and 
Missouri.  Only  health  departments  have  the 
key  to  unencrypt  identifying  information,  but 
physicians  at  any  of  the  23  participating  hos¬ 
pitals  can  view  the  region’s  trend  data  for 
research  purposes.  “Before,  we  were  living  in 
our  own  little  pockets  of  data,”  says  John  Wade, 
vice  president  and  CIO  of  Saint  Luke’s  Health 
System,  one  of  the  participating  organizations. 

In  the  Minneapolis  area,  after  much  wran¬ 
gling  over  HIPAA,  the  nonprofit  health-care 
organization  HealthPartners  started  sending 
information  about  flulike  illnesses  to  researchers 
at  the  Harvard  Medical  School,  as  part  of  a 
$1.2  million  early  warning  system  funded  by 
the  CDC.  Other  participants  include  the  HMO 
Kaiser  Permanente  and  Optum,  which  oper¬ 
ates  a  national  24-hour  health  hotline.  “I’ve 
spent  as  much  time  working  on  the  privacy 
concerns  as  everything  else  combined,”  says 


ruly  effective  public  health 

surveillance  must  await  the 
resolution  of  a  debate  on  how  the 
nation’s  need  to  know  will  be 
balanced  with  the  individual’s  right 
to  privacy. 


Privacy  advocates  wonder  how  useful  this  kind 
of  information  can  really  be  and  what  further 
invasions  of  privacy  it  might  lead  to. 

Who’s  Doing  What? 

For  one  researcher,  New  York’s  fledgling  sur¬ 
veillance  project  is  just  line  47  on  a  spread¬ 
sheet  of  projects.  John  McLamb  has  been 
trying  to  pull  together  a  comprehensive  list  of 
all  the  national,  state  and  local  bioterrorism 
initiatives  that  health  departments,  universi¬ 
ties,  professional  associations  and  even  the 
Department  of  Defense  are  currently  attempt¬ 
ing.  McLamb,  who  is  director  of  informatics  for 
emergency  medicine  at  the  University  of  North 
Carolina  at  Chapel  Hill,  is  doing  the  work  for 
HIMSS’s  group  on  bioterrorism  and  not  at  the 
behest  of  any  federal  agency. 

Every  line  on  his  spreadsheet  has  a  story.  In 


Dr.  James  Nordin,  a  clinical  research  investi¬ 
gator  at  HealthPartners.  “What  we  have  done 
is  to  be  very  limited  about  the  information 
that  goes  out  to  the  Minnesota  Department  of 
Health  and  even  more  limited  about  the  infor¬ 
mation  that  we  send  to  the  data  center  at 
Boston.” 

And  in  New  Mexico,  researchers  at  Sandia 
National  Labs  have  developed  a  system  called 
the  Rapid  Syndromic  Validation  Project— the 
only  one  of  the  bunch  that,  instead  of  fishing 
information  out  of  existing  data  streams, 
requires  health-care  providers  to  actually  log 
on  to  a  secure  website  and  type  in  information 
about  a  patient’s  symptoms  in  exchange  for 
trend  and  treatment  information.  “We  tell  the 
doctor  that  we  only  want  sick  people,  and  we 
give  the  doctor  something  back  that’s  rele¬ 
vant  to  the  patient  they’re  treating— not  in 


46  www.csoonline.com  August  2003 


10  days  but  in  10  seconds,”  says  Alan  Zelicoff, 
the  senior  scientist  who  developed  the  system 
and  hopes  it  will  eventually  be  used  across 
the  country. 

In  those  programs  and  dozens  of  similar 
ones  in  the  works,  there’s  more  than  a  little 
braggadocio  involved.  “This  one’s  the  best,” 
Zelicoff  says,  by  way  of  greeting  this  reporter 
when  I  called  for  an  interview. 

And  there’s  more  than  a  little  overlap  too. 
“I  see  a  lot  of  efforts  out  there  that  are  redun¬ 
dant,”  McLamb  says.  “If  people  who  are  doing 
the  same  thing  would  get  together,  they 
wouldn’t  have  to  reinvent  the  wheel.” 

Pocketbook  Persuasion 

With  so  many  projects  being  developed  by  so 
many  entities,  the  ultimate  success  of  any 
national  bioterrorism  surveillance  system  will 
depend  on  one  thing:  whether  those  systems 
can  ever  talk  to  each  other.  And  if  there’s  one 
thing  that  everyone  involved  agrees  on,  it’s 
the  need  for  standards. 

The  federal  government  has  taken  one  big 
step  in  that  regard.  In  March,  the  U.S.  Depart¬ 
ment  of  Health  and  Human  Services  along 
with  the  departments  of  Defense  and  Veterans 
Affairs  jointly  released  the  first  set  of  uniform 
health  information  standards  for  exchanging 
clinical  data  electronically  across  the  federal 
government.  When  developing  new  systems, 
all  federal  agencies  are  now  obligated,  among 
other  things,  to  use  the  Health  Level  7  mes¬ 
saging  format— a  set  of  drug-ordering  guide¬ 
lines  already  adopted  under  HIPAA— and  a 
group  of  codes  for  laboratory  results. 

Ultimately,  though,  public  health  is  a  very 
local  activity.  It’s  you,  your  doctor,  your  exam 
room,  your  lab  test  results.  When  it  comes  to 
reaching  the  state  and  local  health  depart¬ 
ments  that  interact  with  all  the  players,  the 
federal  government  has  a  lot  less  control  than 
one  might  expect.  “Typically,  if  there’s  an  out¬ 
break  of  a  disease  at  the  local  or  state  level, 
they  will  handle  it  locally  or  invite  the  CDC  in 
on  an  as-needed  basis,”  the  CDC’s  Seligman 
says.  “We  offer  our  assistance,  but  ultimately 
it’s  their  call.” 

The  one  way  that  the  federal  government 
does  have  power  to  persuade  is  with  its  pock¬ 
etbook.  And  that’s  where  the  CDC’s  National 
Electronic  Disease  Surveillance  System 
(NEDSS)  comes  in.  This  system  lays  out  a  sort 


see  a  lot  of 
efforts  out  there 
that  are 
redundant. 

If  people  who  are 
doing  the  same 
thing  would  get 
together,  they 
wouldn’t  have 
to  reinvent  the 
wheel.” 

-JOHN  MCLAMB,  DIRECTOR  OF 
INFORMATICS  FOR  EMERGENCY 
MEDICINE  AT  THE  UNIVERSITY  OF 
NORTH  CAROLINA  AT  CHAPEL  HILL 

of  meta-standard  for  both  health-care  infor¬ 
mation  and  IT  standards.  All  state  health- 
department  systems  must  be  NEDSS- 
compatible— at  least  they  do  if  they  want  a 
piece  of  the  $918  million  in  bioterrorism 
grants  that  the  CDC  is  handing  out  this  year. 

This  pocketbook  persuasion  could  pave  the 
way  for  electronic  medical  records  in  the 
health-care  industry.  “These  standards  that 
make  national  disease  surveillance  work  are 
the  same  standards  that  we’ll  need  if  we’re 
going  to  move  forward  to  a  day  when  you  can 
ask  a  doctor  to  send  your  medical  records  elec¬ 
tronically  to  a  new  doctor,”  Gartner’s  Klein 
says.  But  the  work  also  highlights  just  how 
difficult  the  journey  will  be. 


Pennsylvania  is  one  of  the  few  states  that 
has  already  adopted  the  system.  There,  the 
state  Department  of  Health  built  a  NEDSS- 
compliant  application  that  allows  doctors  to 
go  to  a  secure  website  to  report  a  disease.  As 
soon  as  a  doctor  hits  “save,”  the  information  is 
available  to  public  health  investigators. 

Development  was  no  small  task,  says  Mary 
Benner,  CIO  and  IT  director  for  the  Pennsyl¬ 
vania  Health  Department.  The  state  had  to 
consolidate  some  6,000  data  fields  from  100 
forms  to  600  actual  data  elements  in  the  data¬ 
base,  and  also  work  out  problems  with 
providers  on  antiquated  operating  systems 
trying  to  use  the  digital  certificates  that  enable 
secure,  encrypted  communications. 

Now,  the  biggest  challenge  is  getting  doc¬ 
tors  to  register.  Since  July  1,  when  the  system 
went  live,  the  department  has  received  57,000 
cases  of  reportable  diseases  electronically.  It 
also  gets  several  hundred  reports  a  week  in 
paper  form.  “Some  [doctors]  are  very  enthu¬ 
siastic,  and  others  don’t  have  a  computer  in 
their  office  and  don’t  want  one,”  Benner  says. 

With  that  kind  of  reluctance  and  the  ongo¬ 
ing  challenge  of  getting  the  industry  to  adopt 
a  set  of  standards,  a  national  bioterrorism  sur¬ 
veillance  system  seems  far  off,  indeed.  Right 
now,  truly  effective  public  health  surveillance 
must  await  the  resolution  of  a  national  debate 
on  how  homeland  security  will  play  out  in  a 
country  that  has  always  prided  itself  on  its 
freedoms.  And  that  debate  will  increasingly 
depend  on  how  well  technology  balances  the 
public’s  need  to  know  with  the  individual’s 
right  to  privacy. 

“We  have  to  decide  as  a  nation  how  much 
security  and  privacy  we  need  when  those  two 
things  are  in  a  trading  relationship,”  says  Pitts¬ 
burgh  School  of  Medicine’s  Allswede.  “What 
we’re  doing  in  terms  of  information  technol¬ 
ogy— and  where  it  has  to  progress— is  a  micro¬ 
cosm  of  that  larger  sociological  change.”  : 

Senior  Writer  Sarah  D.  Scalet  can  be  reached  via  e-maii  at 
sscalet@cxo.com. 

More  Resources  On 

Visit  CSOonline’s  THREATS  &  RECOVERY  RESEARCH 

CENTER  to  read  more  articles  about  planning  tor  and 

responding  to  disasters. 


www.csoonline.com/threats 


August  2003  www.csoonline.com  47 


8:00  AM-1:30  PM 

Golf  Tournament 

2:00  PM-7:30  PM 

Registration 

4:15  PM-5:30  PM 

CIO  Executive  Mindshare 
Meetings 

Small  working  groups  explore  the 
leadership  challenges  and  best 
practices  of  specific,  critical 
IT/business  topics. 

1  Managing  the  risks  of 
outsourcing— including  offshore 

2  IT  cost  control  &  flexibility 

3  Leveraging  IT  employees:  bring¬ 
ing  their  full  potential— 

and  hanging  on  to  them 

4  The  CSO  in  you:  how  to  be  your 
own  security  watchdog 

5  Long-term  partnerships:  negoti¬ 
ating  strong,  mutually  benefi¬ 
cial  vendor  deals 

6  Dealing  with  consolidation  in 
the  tech  industry 

7  Ensuring  data  privacy  in  an 
access-hungry  environment 

5:30  PM-7:30  PM 

Cafe  100:  Welcome 
Reception  &  Golf 
Tournament  Awards 

7:30  PM-9:30  PM 

NetIQ’s  Swingin’  Speakeasy 


7:00AM-8:00  AM 

Registration  and  Breakfast 

8:00  AM-8:15  AM 

Conference  Welcome 

ABBIE  LUNDBERG 

Editor  in  Chief,  CIO  Magazine 

8:15  AM-9:00  AM 

Opening  Keynote 

PAUL  SAFFO,  Conference 
Moderator 

Director  and  Roy  Amara  Fellow, 
Institute  for  the  Future 
Saffo  talks  about  why  he  thinks  we 
are  poised  on  the  verge  of  an 
onslaught  of  technological  innova¬ 
tion  that  will  affect  every  corner  of 
business  and  society  in  the 
decades  ahead— even  though  at 
first  glance,  this  coming  wave 
seems  to  defy  anticipation,  much 
less  meaningful  assessment  of  its 
likely  impacts. 

9:00  AM-10:00  AM 

Creating  a  Cutting-Edge 
Culture 

Moderator:  RICK  SWANBORG, 

President,  ICEX 
Panelists: 

RIZWAN  AHMED,  CIO,  Louisiana 
Office  of  Group  Benefits 
ROBERT  DUTILE,  Group  Manager 
&  Executive  Vice  President, 
Enterprise  Architecture  Group, 
KeyCorp. 

JAN  FRANKLIN,  CIO  &  Vice 
President,  Farmers  Insurance 
Group 


In  today’s  current  competitive  envi¬ 
ronment,  innovation  and  resource¬ 
fulness  are  more  important— and 
more  challenging— than  ever.  This 
panel  of  CIO  100  winners  describes 
how  they’ve  managed  to  be  simul¬ 
taneously  resourceful  and  forward- 
thinking,  creating  an  enterprise¬ 
wide  mindset  of  innovation  even  in 
the  toughest  of  times. 

10:00  AM-10:30  AM 

Innovation,  Leadership  & 
Resourcefulness 

CRAIG  CONWAY,  CEO,  Peoplesoft 

11:00  AM-11:45  AM 
Industry  Briefings 

Our  corporate  partners  present 
case  studies  and  sessions  on 
deploying  the  latest  technologies 
and  services. 

11:55  AM-12:25  PM 
Getting  Fast  and  Flexible 

JEFF  COHEN,  CIO,  JetBlue  Airways 
One  of  our  CIO  100  winners  shares 
how  they  developed  faster,  more 
flexible  processes  inside  and  out¬ 
side  the  company  despite  restric¬ 
tions  on  their  resources. 

12:35  PM-1:35  PM 

Networking  Luncheon 

1:45  PM-2:10  PM 

Creating  New  Methods  of 
Demonstrating  Value 

DOUGLAS  F.  BUSCH,  Executive 
Vice  President  &  CIO,  Intel 
Corporation 

In  tough  times,  we’re  under  more 
pressure  to  demonstrate  the  value 
of  every  IT  dollar.  But  if  traditional 
metrics  for  determining  and 


demonstrating  ROI  don't  work  in 
your  case— create  new  ones.  This 
winner  did. 

2:10  PM  -  2:35  PM 
Creating  New  Tools  to 
Prioritize  IT  Initiatives 

ROBERT  WEIR,  Vice  President  of 
IS,  Northeastern  University 
Universities  always  operate  under 
financial  constraints  and  have  noto¬ 
riously  vocal  department  heads. 
How  do  you  develop  a  method  to 
really  evaluate  and  prioritize  all  IT 
initiatives  that  everyone  buys  into— 
and  that  works? 

2:45  PM-4:20  PM 

Industry  Briefings 

4:30  PM-5:30  PM 

Motivating  Employees  and 
Boosting  Morale 
Moderator:  MARTHA  HELLER, 

Director,  CIO  Best  Practice 
Exchange  &  CIO  Select 
Panelists: 

STEVEN  W.  AGNOLI,  CIO, 
Kirkpatrick  &  Lockhart  LLP 
MARY  FONDER,  CIO,  Maysteel  LLC 
J.  A.  GOTTRON  II,  Executive  Vice 
President  &  CIO,  The  Huntington 
National  Bank 

When  the  economy  enters  a  down¬ 
ward  spiral,  so  does  morale— and 
that  can  cause  productivity  and 
sales  to  hit  the  skids  as  well.  We 
bring  together  a  group  of  CIO  100 
winners  to  share  a  diverse  collec¬ 
tion  of  initiatives. 

5:30  PM-7:00  PM 

Cafe  100  Reception 


August  17-19, 2003  I  The  Broadmoor  I  Colorado  Springs,  CO 
To  enroll  I  800.355.0246  I  www.cio.com/conferences 


Our  award-winning  CIOs  share  ideas 
you  can  use  today,  as  they  tell  us 

What  Works  Now 

Some  of  our  favorite  thought-leaders 
look  into  the  future,  and  predict 

What  Lies  Ahead 


: 

- 

■ 


:4: 


mM: 


Sponsored  by 

H9UOM 

GREAT  RELATIONSHIPS" 

APC 

Legendary  Reliability’ 


<bmc 


SU  i 


Assuring  Business  Availability® 


Tuesday 


7:00  AM-8:00  AM 
Breakfast  and  Informal 
Roundtable  Discussions 

Gather  with  CIO  magazine  editors 
and  fellow  attendees  to  discuss 
common  problems  and  possible 
solutions. 

8:00  AM-8:15  AM 

Welcome 

PAUL  SAFFO 

Conference  Moderator 

8:15  AM-9:15  AM 

Leading  in  an  Age  of 
Extraordinary  Challenge 

Moderator:  ABBIE  LUNDBERG, 

Editor  in  Chief,  CIO  Magazine 
Panelists: 

STEPHEN  N.  DAVID,  CIO  & 

Business-to-Business  Officer, 

Procter  &  Gamble 
TOM  MURPHY,  CIO,  Royal 
Caribbean  Cruise  Lines 
ANDRE  SPATZ,  CIO,  UNICEF 
BETTE  WALKER,  CIO  &  Vice 
President,  Delphi  Corporation 
Lundberg  hosts  a  panel  of  award¬ 
winning  CIOs.  They  discuss  our  cur¬ 
rent  state  of  evolution,  where  we’re 
heading  and  the  requirements  of 
the  IT  leadership  role,  including 
shifting  accountability,  governance 
and  organization  models. 

9:15  AM-10:00  AM 

Leadership:  Partnering  In 
Action 

Most  businesses  are  only  as  strong 
as  their  executive  teams,  making 
the  relationship  between  the  "O’s” 
more  critical  than  ever  during  diffi¬ 
cult  times. 


10:30  AM-11:15  AM 

Industry  Briefings 

11:25  AM-12:15  PM 

Smart  Mobs— Mobile 
Communications,  Pervasive 
Computing,  and  Collective 
Action 

HOWARD  RHEINGOLD 

Author,  Journalist,  Futurist  and 
Guru  of  Digital  Culture 
Smart  mobs  display  the  ultimate 
resourcefulness.  They  harness  the 
combination  of  mobile  communica¬ 
tion,  the  Internet  and  pervasive 
computing  to  enable  people  to 
cooperate  in  ways  never  before  pos¬ 
sible.  Rheingold  takes  a  hard  look 
at  the  driving  forces,  critical  uncer¬ 
tainties,  opportunities  and  threats 
posed  by  smart  mob  devices  and 
practices. 

12:30  PM-2:00  PM 

Networking  Luncheon 

2:00  PM-2:30  PM 

What  You  Need  to  Know 
About  Sarbanes-Oxley 

MICHAEL  CARPENTER,  Partner, 
KPMG 

At  our  April  CIO  Perspectives  con¬ 
ference,  several  CIOs  from  large, 
well-known  organizations  were  sur¬ 
prised  to  find  out  what  they  really 
needed  to  know  about  complying 
with  Sarbanes-Oxley,  and  about 
how  large  their  role  should  be.  We 
asked  Michael  Carpenter  to  help 
give  everyone  a  “head’s  up”  on 
what  we  feel  is  an  important  issue 
for  CIOs. 

2:40  PM-3:25  PM 

Industry  Briefings 


3:40  PM-4:40  PM 

Looking  Ahead— IT 
Reinterpreted 
W.  BRIAN  ARTHUR 

Citibank  Professor,  Santa  Fe 
Institute 

Arthur  shares  his  views  on  how  IT 
is  being  reinterpreted  by  old,  tradi¬ 
tional  industries— resulting  in  com¬ 
pletely  new  sub-industries  such  as 
genomics,  proteomics,  financial 
engineering,  smart  pharmaceuti¬ 
cals,  nanotechnology,  and  the  like. 
They  are  being  born  out  of  IT,  and 
will  change  our  lives  and  our  busi¬ 
nesses. 

4:40  PM-5:00  PM 

Conversations— Going 
Forward 

Paul  Saffo,  W.  Brian  Arthur,  Howard 
Rheingold  and  Friends 
Over  the  past  two  days,  several  of 
our  CIO  100  award  winners  have 
shared  “what  works  now,”  and  our 
industry  gurus  have  provided  their 
views  about  “what  lies  ahead.”  We 
come  together  to  talk  about  what  it 
means  for  us  personally,  for  CIOs 
professionally,  and  for  our  organiza¬ 
tions  going  forward. 

5:00  PM-5:15  PM 

Final  Comments 

PAUL  SAFFO 


CIOIOO 

Awards  Ceremony 

6:15  PM -11:00  PM 

CIO  100  Awards 
Reception 

CIO  100  Awards  Dinner 
&  Ceremony 

■ 

Dessert  Reception 

u.,  mrr  inn 


IDS 


EVERGREEN 


(  equant 
FUJITSU 


invent 

0. 

net© 

Work  Smarter. 

red  hat. 

ZSStAVVIS 

The  Network  that  Powers  Wall  Street* 

SupportSoft 

■TIBCQ 

The  Power  of  Now” 

This  year's  CIO  100  Awards 
Ceremony  is  proudly 
underwritten  by 

PeopleSoft. 

Presented  by 


PeopleSoft,  Inc 


:  J'-v" 


The  Resource  for 
Information  Executives 


IN  THIS  STORY: 

Why  cultural  differ¬ 
ences  regarding  pri¬ 
vacy  in  the  U.S.  and 
Europe  are  causing 
conflict  for  the  CSO 


HERE  PRIVACY  IS  CON- 

cerned,  Americans  dis¬ 
trust  their  government. 
But  they’ll  gladly  hand  over 
their  personal  information 
to  a  corporation  to  get  a  deal 
on  their  groceries. 

Europeans,  on  the  other  hand,  will  give 
their  government  extremely  broad  surveil¬ 
lance  powers,  but  they  largely  forbid  private 
enterprise  from  accessing  any  personal  data 
without  their  express  written  consent.  In  the 
corporate  security  world,  this  has  translated 
into  an  ideological  disconnect:  U.S.  executives 
think  Europeans  are  missing  the  marketing 
opportunity  personal  data  provides,  and  the 
Europeans,  by  and  large,  see  their  American 
counterparts  as  fast  and  loose— callous  even— 
when  it  comes  to  their  citizens’  privacy.  Until 
recently  these  issues  had  settled  into  a  quiet 
detente.  However,  resentments  churned  up 
by  recent  world  events  have  European  pri¬ 
vacy  experts  predicting  that  U.S.  companies 
are  likely  to  face  a  new  hard-line  approach  to 
privacy  enforcement  in  their  business  deal¬ 
ings  on  the  continent. 

But  views  on  privacy  have  also  been  chang¬ 
ing  within  the  United  States.  HIPAA  and  a 
slew  of  post-9/ll  antiterrorism  legislation 
started  the  trend,  and  rapid  technological 


advances  that  make  invading  one’s  privacy 
shockingly  easy  have  drawn  more  attention 
to  the  privacy  issue.  The  result  is  that  Amer¬ 
ica  is  looking  more  and  more  like  the  Old 
Country,  at  least  when  it  comes  to  privacy. 

The  libertarian  values  of  the  founding 
fathers  infused  American  culture  with  a  live- 
and-let-live  attitude.  A  majority  of  U.S.  citi¬ 
zens  still  wrinkle  their  noses  at  any  proposal 
that  smacks  of  increased  government  regula¬ 
tion.  The  issue  of  privacy  has  consequently 
been  handled  on  an  industry-by-industry 
basis— with  only  high-risk  sectors  such  as 
health  care  and  financial  services  bending  to 
the  force  of  legislation.  Meanwhile,  most  busi¬ 
nesses  have  been  left  to  carry  on  the  collection, 
use  and  trading  of  personal  data  and  infor¬ 
mation  at  will  behind  a  very  thin  curtain  of 
“self-regulation.” 

At  the  center  of  this  confluence  of  govern¬ 
ment  legislation,  international  pressure  and 
the  ongoing  debate  over  security  versus  pri¬ 
vacy  is  the  CSO.  He  is  charged  with— and  will 
ultimately  be  held  responsible  for— navigating 
through  the  turbulence. 

The  CSO  has  a  tremendous  impact  on  the 
development,  execution  and  effectiveness  of 
the  corporate  privacy  policy.  Whether  respon¬ 
sibility  for  privacy  resides  in  the  security 
group,  with  the  legal  counsel,  in  human  re- 


ivac 
ma 


7 


America’s  new  rules  of  privacy  are  coming  from 
the  Old  Country.  Here’s  how  Europe  is  getting  America 

to  rethink  privacy.  By  Daintry  Duffy 


50  www.csoonline.com  August  2003 


PHOTO  BY  TRACEY  KROLL 


The  FTC's  Safe  Harbor  agreement  requires  U.S. 
companies  to  abide  by  the  EU’s  basic  privacy  prin¬ 
ciples.  “But  it’s  only  a  partial  solution,”  says  Ivan 
Fong,  chief  privacy  leader  and  senior  counsel  of  IT 
at  General  Electric. 


sources  or  with  a  specially  appointed  chief 
privacy  officer,  the  CSO  is  a  critical  partner  in 
giving  a  privacy  program  life. 

But  it  isn’t  an  easy  partnership.  “You  can 
have  great  security  without  privacy  I  sup¬ 
pose,”  says  Peter  Cullen,  former  chief  privacy 
officer  of  Royal  Bank  of  Canada  and  newly 
appointed  chief  privacy  strategist  for  Micro¬ 
soft,  “but  you  can’t  have  great  privacy  without 
great  security.” 

Why  is  it  so  hard  for  companies,  and  indeed 
governments,  to  reconcile  the  two? 

“Such  intuition  used  to  be  at  the  heart  of 
America’s  Fourth  Amendment,”  says  Jeffrey 
Rosen,  associate  professor  of  law  at  George 
Washington  University,  referring  to  the  right 
of  citizens  to  be  safe  from  unlawful  search 
and  seizure.  “The  most  invasive  measures 
should  be  limited  to  the  most  serious  crimes, 
but  we  lost  that  principle  along  the  way,”  adds 
Rosen,  who  is  also  author  of  The  Unwanted 
Gaze:  The  Destruction  of  Privacy  in  America. 

In  the  United  States  especially,  the  rela¬ 
tionship  between  privacy  and  security  has 
been  a  particularly  contentious  one— not  only 
because  of  the  disinclination  toward  legisla¬ 
tion  but  also  because  information  has  always 
been  the  lifeblood  of  our  capitalist  culture: 
Privacy  protections,  it  is  feared,  could  put  a 
stranglehold  on  the  flow  of  commerce. 

But  the  war  on  terror  in  particular  has 
brought  the  clash  between  privacy  and  secu¬ 
rity  to  the  forefront  like  never  before.  Recent 
cases— such  as  the  attention  given  the  Mus- 
lim-American  woman  in  Florida  who  refused 
to  remove  her  veil  for  a  driver’s  license  picture, 
and  the  furor  that  greeted  the  announcement 
of  the  government’s  plan  for  the  Total  Infor¬ 
mation  Awareness  Program,  which  would  lint 
and  mine  databases  to  identify  security 
threats— have  further  muddied  the  relation¬ 
ship  between  the  two.  One  always  seems  to  be 
implemented  at  the  expense  oi  the  other. 

The  problem  is  exacerbated  on  the  corpo¬ 
rate  side  bv  the  breakdown  in  communica- 


August  2003 


csoonhne.com 


Privacy 


tion  that  often  occurs  between  the  privacy  and 
security7  folks.  CPOs  such  as  Cullen  feel  some¬ 
what  misunderstood  by  the  security  profes¬ 
sion.  “CSOs  don’t  understand  privacy  as  well 
as  privacy  officers  understand  security,”  he 
says,  noting  that  he  believes  privacy  is  more 
nuanced  and  less  black-and-white.  “Security  is 
a  fairly  rational  thing— the  antivirus  protec¬ 
tion  is  either  on  or  off— whereas  there  is  a 
high  degree  of  variability  in  privacy.”  What 
feels  invasive  to  one  person  can  be  of  little 
matter  to  the  next. 

More  than  a  quarter  of  the  1,010  U.S.  citi¬ 
zens  responding  to  the  annual  Harris  Interac¬ 
tive  poll  in  February  2003  identified  themselves 
as  being  “privacy  fundamentalists.”  They  feel 
strongly  about  the  loss  of  privacy  and  will  resist 
any  further  erosion.  Only  10  percent  of  respon¬ 
dents  identified  themselves  as  “privacy  uncon¬ 
cerned.”  They  have  little  or  no  anxiety  about 
how  their  information  is  collected  and  used. 
But  a  majority  of  people— 63  percent— take 
the  “privacy  pragmatist”  approach.  They  may 
be  concerned  and  aware  of  issues  surrounding 
privacy,  but  they  are  also  willing  to  trade  some 
of  their  personal  information  if  the  perceived 
benefit  is  great  enough  and  the  risk  of  infor¬ 
mation  misuse  is  low. 

The  Continental  Clash 

In  Europe,  however,  the  issue  of  privacy  goes 
beyond  that  of  a  preference.  It  is  seen  as  a 
fundamental  human  right.  For  that  reason, 
the  Europeans  have  had  a  much  easier  time 
combining  the  issues  of  security  and  privacy 
into  a  single  ethic  of  information  handling. 
“In  the  U.S.,  citizens  see  privacy  as  a  legal 
minefield,”  says  Simon  Davies,  director  of 
London-based  Privacy  International,  noting 
that  consequently  it  often  is  turned  over  to 
the  legal  counsel  or  human  resources  to  man¬ 
age.  “In  Europe  [privacy  is]  more  a  human 
condition  than  a  legal  condition.  It’s  more  a 
social  issue  than  a  litigation  issue.  So  security 
people  find  it  easier  to  take  [privacy]  on.  In 
the  United  States,  the  corporate  environment 
is  steeped  in— and  constantly  threatened  by- 
litigation.”  When  the  prime  directive  is  avoid¬ 
ing  litigation,  it  becomes  next  to  impossible  for 
security  and  privacy  to  evolve  side  by  side. 

The  differing  views  on  privacy  between  the 
United  States  and  Europe— and  even  among 
the  European  Union  countries— are  based  on 


the  intrinsic  values  of  cultures  that  are  cen¬ 
turies  old.  For  example,  British  citizens  are 
protected  by  the  EU  Data  Privacy  Directive 
(see  “EU  Data  Privacy  Directive,”  Page  53), 
which  gives  them  the  rights  of  notice,  choice 
and  access  to  their  personal  information  that 
Americans  don’t  have.  But  they  also  live  in  a 
culture  where  camera  surveillance  is  ubiqui¬ 
tous.  From  traffic  lights  to  street  corners, 
British  citizens  are  under  almost  constant 
observation. ..and  they  don’t  seem  to  mind. 
“Britain  continues  to  confound  and  surprise 
me,”  says  Rosen.  “They  have  embraced  cam¬ 
eras,  showing  great  deference  to  authority, 
and  yet  this  same  culture  that  is  wired  with 
cameras  is  far  more  respectful  of  people’s  pri¬ 
vacy  in  public.  They  don’t  stare  at  celebrities 
or  yell  loudly  on  their  cell  phones  on  the  train. 
They  maintain  boundaries  the  more  demo¬ 
cratic  Americans  don’t  respect.” 

The  German  experience  with  Nazism  had  a 
profound  effect  on  that  country’s  cultural 
views  about  privacy  and  the  rest  of  Europe’s  as 
well.  During  World  War  II,  people  saw  the 
destructive  power  that  information  could  have 
in  the  hands  of  an  evil  government.  The  post¬ 
war  lesson  of  maintaining  a  healthy  relation¬ 
ship  between  citizens  and  organizations  also 
fostered  a  belief  in  a  right  to  privacy.  Today’s 
German  Secret  Service,  for  example,  is  given 
broad  surveillance  authority— but  only  to 
investigate  terrorism.  Any  evidence  of  a  low- 
level  crime  that  is  discovered  in  the  process  of 
that  surveillance  cannot  be  legally  pursued, 
preventing  authorities  from  going  on  fishing 
expeditions  for  information. 

The  French  are  tremendous  proponents  of 
government  regulation  for  just  about  every¬ 
thing.  Unlike  Americans,  they  feel  no  need  to 
constrain  their  government’s  involvement  in 
instituting  privacy  controls  and  have  some  of 
the  most  extensive  regulations  of  dignitary 
offenses  in  Europe. 

When  Europeans  embraced  omnibus  pri¬ 
vacy  legislation  in  1995  with  passage  of  the  EU 
Data  Privacy  Directive,  Americans  were  forced 
to  respond.  In  order  to  preserve  the  continu¬ 
ity  of  trans-Atlantic  commerce,  the  Federal 
Trade  Commission  brokered  an  agreement 
with  the  EU  called  Safe  Harbor,  which  would 
require  U.S.  companies  that  sign  on  to  it  to 
abide  by  the  EU’s  basic  privacy  principles. 

However,  relatively  few  U.S.  companies 


“U.S.  citizens  see  privacy  as  a  legal  minefield,” 
says  Simon  Davies,  director  of  London-based 
Privacy  International.  “Europeans  see  it  more 
as  a  human  condition.” 

have  signed  on— only  353  at  press  time— and 
the  vast  majority  of  those  are  small  companies 
rather  than  the  Fortune  1000  behemoths 
whose  information  practices  could  cause  the 
greatest  harm  to  the  privacy  of  European  cit¬ 
izens.  “Safe  Harbor  was  and  is  a  well-inten¬ 
tioned  effort  and  works  for  many  companies,” 
says  Ivan  Fong,  chief  privacy  leader  and  sen¬ 
ior  counsel  of  IT  at  General  Electric.  “But  it 
is  only  a  partial  solution  for  other  companies, 
in  that  it  only  covers  data  flows  between 
Europe  and  the  U.S.,  and  many  multination¬ 
als  have  data  flows  that  go  beyond  that  route.” 
He  adds  that  Safe  Harbor,  as  currently  nego¬ 
tiated,  doesn’t  cover  financial  services  com¬ 
panies  because  the  United  States  and  the  EU 
cannot  agree  on  whether  the  U.S.  data  pro¬ 
tection  laws  that  govern  financial  institutions 
meet  the  EU’s  “adequate  protection”  standard. 

The  FTC,  by  the  way,  is  actually  one  of  the 
central  reasons  behind  Safe  Harbor’s  poor 
showing.  It  has  enforcement  authority  over 
the  program,  and  the  majority  of  U.S.  com¬ 
panies  don’t  want  to  come  under  its  jurisdic¬ 
tion  and  open  themselves  up  to  litigation. 
Instead,  most  companies  seeking  to  transact 
business  in  Europe  have  chosen  to  negotiate 
individual  contracts  with  the  EU  member 
states,  stating  that  they  will  abide  by  the  basic 
precepts  of  EU  privacy  practices. 

But  terrorism  and  technology  have  changed 
the  standards  and  the  stakes  of  compliance. 
Since  Sept.  11,  the  U.S.  government  has  made 
new  information  demands  on  its  European 
allies  in  the  name  of  security,  which  forces 
them  in  many  cases  to  break  their  own  privacy 
policies.  For  example,  U.S.  authorities  are 
requiring  that  all  foreign  airlines  that  land  in 
the  United  States  present  complete  passenger 
lists,  a  move  that  directly  violates  European 
privacy  laws.  But  airlines  such  as  Lufthansa 
and  Air  France  that  want  to  be  able  to  land  in 
the  United  States  have  been  quietly  surren¬ 
dering  that  information  anyway. 

Davies  notes  that  security  measures  such 
as  those  contained  in  the  Enhanced  Border 
Security  and  Visa  Reform  Act  of  2002  (H.R. 
3525)  are  causing  a  great  deal  of  resentment 


52  www.csoonline.com  August  2003 


EU  Data 

Privacy  Directive 


in  Europe.  “There  is  a  sense  of  betrayal  in 
Europe  that  we  will  now  have  to  be  finger¬ 
printed  as  we  enter  the  United  States.  It’s  a 
betrayal  of  comradeship  and  of  trust,”  he 
says.  “We’ve  been  partners  throughout  the 
century,  and  to  find  ourselves  now  cast  aside 
and  treated  as  aliens— well,  it’s  done  incal¬ 
culable  damage.”  Davies  also  points  to  fur¬ 
ther  irritants:  the  war  of  words  that  erupted 
between  France  and  the  United  States,  and 
the  fallout  from  Europe’s  disfavor  of  the  inva¬ 
sion  of  Iraq. 

And  Davies  is  not  alone  in  feeling  that  way. 
Alan  Westin,  president  of  the  Washington, 
D.C.-based  Center  for  Social  and  Legal  Re¬ 
search,  and  cofounder  and  publisher  of  the 
Privacy  and  American  Business  Journal, 
notes  that  Stephano  Rodota,  president  of  the 
Italian  Data  Protection  Authority,  recently 
spoke  out  strongly  against  the  European  air¬ 
lines  for  surrendering  their  passenger  infor¬ 
mation  to  the  United  States. 

The  result  could  be  serious  for  U.S.  com¬ 
panies  that  want  to  do  business  in  Europe. 
Davies  predicts  that  European  privacy  author- 

PHOTO  BY  PATRICK  BARTH 


ities  are  going  to  get  much  tougher  on  Amer¬ 
icans  who  flout  their  privacy  regulations. 
“There  is  going  to  be  far  more  attention  to 
detail  in  contracts  and  on  the  information 
flow,  and  a  more  rigorous  interpretation  of 
data  rules,”  he  says.  “It  may  be  occurring  for  all 
the  wrong  or  all  the  right  reasons,  but  this  is 
the  state  of  the  world  today.  And  because  of 
the  bad  blood  in  Europe,  data  protection  is 
one  of  the  areas  where  rules  will  be  more  rig¬ 
orously  applied.” 

Experts  note  that  no  overt  actions  have 
been  taken  against  U.S.  companies  to  date, 
and  privacy  officers  such  as  Fong  have  had 
no  bad  experiences  with  the  European  infor¬ 
mation  commissioners.  But  Fong  does  note 
that  the  relationship  with  the  European 
authorities  is  one  that  GE  has  carefully  culti¬ 
vated.  “We  make  an  effort  to  get  to  know  them 
and  to  learn  what  their  priorities  and  con¬ 
cerns  are.  Just  as  with  any  other  relationship, 
it’s  important  to  develop  open  lines  of  com¬ 
munication,”  says  Fong.  Innoculation  against 
international  mood  swings  could  be  a  very 
smart  policy. 


European  countries  have  had  privacy  regu¬ 
lations  for  years.  In  1995,  the  disparate 
rules  were  synthesized  into  the  EU  Data 
Privacy  Directive,  a  single  policy  covering 
all  15  member  countries. 

It  mandates  that  personal  information 
must  be: 

■  Processed  fairly  and  lawfully 

■  Collected  for  specified  and  legitimate 
purposes  only 

■  Accurate  and  up-to-date;  steps  must  be 
taken  to  rectify  or  erase  incorrect  data 

■  Nontransferable  to  third  parties  without 
permission 

■  Nontransferable  to  countries  that  lack 
adequate  privacy  protection 

■  Protected  by  a  corporate  data  controller 
(equivalent  to  the  U.S.  chief  privacy  offi¬ 
cer  responsible  for  ensuring  that  data 
practices  are  followed) 

■  Processed  only  in  cases  where  the  sub¬ 
ject  has  given  clear  consent 

-D.D. 

Homegrown  Hindrances 

As  if  continental  mudslinging  weren’t  bad 
enough,  corporate  privacy  practices  are  also 
on  the  defensive  at  home.  The  FTC  has  long 
been  the  government  agency  most  closely 
associated  with  the  issue  of  privacy  in  the 
United  States.  But  even  with  niche  regula¬ 
tions  like  COPPA  (Children’s  Online  Privacy 
Protection  Act),  HIPAA  (Health  Insurance 
Portability  and  Accountability  Act)  and  GLBA 
(Gramm-Leach-Bliley  Act),  the  FTC’s  role  has 
been  more  of  an  educator  than  an  enforcer. 

But  recently  the  FTC  has  taken  a  much 
more  active  role  in  calling  companies  to 
account  for  privacy  violations.  When  Eli  Lilly 
violated  its  own  privacy  policy  by  accidentally 
releasing  669  customer  addresses  in  the  “to 
field  of  an  e-mail  from  its  Prozac.com  website, 
the  FTC  filed  a  complaint  that  accused  the 
company  of  failing  to  protect  customer  infor¬ 
mation,  of  inadequately  training  its  employ¬ 
ees,  and  providing  insufficient  oversight  for 
the  employee  who  sent  out  the  e-mail.  The 
complaint  was  settled  last  year. 

Westin  notes  that  the  decision  was  impor- 


August  2003  www.csoonline.com  53 


tant  because  it  reinforced  with  high-profile 
action  the  FTC’s  stated  position.  “If  you  make 
promises  about  privacy,  you  have  to  take  ade¬ 
quate  or  reasonable  measures  to  implement 
[those  assurances],”  Westin  says.  “Every  secu¬ 
rity  officer  should  have  a  copy  of  that  ruling 
because  it  sets  the  standard  for  website  secu¬ 
rity  and  confidentiality.” 

The  settlement  requires  Eh  Lilly  to  estab¬ 
lish  a  four-tiered  information  security  program 
with  the  physical,  technical  and  administrative 
safeguards  necessary  to  guard  against  a  sim¬ 
ilar  breach  in  the  future.  Specifically,  the  com¬ 
pany  must  designate  appropriate  personnel 
to  coordinate  and  oversee  the  program,  iden¬ 
tify  and  address  internal  and  external  risks  to 
the  security  of  personal  information,  conduct 
an  annual  written  review  of  the  program  to 
monitor  and  document  compliance,  and 
adjust  the  program  in  the  future  based  on  the 
review’s  findings  and  recommendations.  With 
its  punitive  actions,  the  FTC  has  basically 
become  an  active  participant  in  Eli  Lilly’s 
security  program— creating  a  cautionary  tale 
for  other  companies  that  might  be  inclined 
to  accidentally  or  purposely  disregard  their 
own  privacy  policies. 

California  has  enacted  a  law  that  will  have 
an  equally  wide-reaching  effect  on  corporate 
privacy  practices.  The  Security  Breach  Notifi¬ 


cation  Act  went  into  effect  on  July  1  requiring 
companies  to  disclose  details  if  they  believe  a 
breach  has  led  to  the  release  of  personal  infor¬ 
mation.  The  data  covered  by  this  law  is  an 
individual’s  name  combined  with  one  or  more 
of  the  following  unencrypted  pieces  of  infor¬ 
mation:  Social  Security  number,  driver’s 
license  or  ID  card  number,  or  an  account, 
credit  or  debit  card  number  with  the  pass¬ 
word  that  accesses  that  financial  information. 

While  the  law  is  intended  to  make  citizens 
aware  of  potential  abuses  of  their  personal  and 
financial  data,  it  is  likely  to  create  a  public  rela¬ 
tions  nightmare  for  companies  that  will  have  to 
quickly  go  public  with  suspected  breaches  even 
if  they  later  discover  that  no  personal  informa¬ 
tion  was  actually  compromised  or  used.  Any 
company  with  customers  in  California  must 
comply  with  the  law  regardless  of  where  the 
company  is  based.  “As  consumers,  we’re  going 
to  be  getting  lots  and  lots  of  notifications,”  says 
Westin.  “Hacking  into  customer  files,  laptop 
thefts  and  [accidental]  information  disclo¬ 
sures— these  things  happen  every  day.  And 
under  this  California  law,  it  creates  an  extraor¬ 
dinary  exposure.”  As  an  example,  Westin  recalls 
receiving  a  call  about  three  years  ago  from  a 
company  that  handled  benefits  information  for 
various  employers.  A  car  belonging  to  one  of  the 
company’s  sales  reps  was  broken  into,  and  a 


“You  can  have  great  security  without 
privacy,”  says  Peter  Cullen,  former 
chief  privacy  officer  of  Royal  Bank 
of  Canada  and  newly  appointed  chief 
privacy  strategist  for  Microsoft. 

“But  you  can’t  have  great  privacy 
without  great  security.” 


laptop  was  stolen  that  contained 
the  personal  records  of  50,000 
employees  complete  with  names, 
addresses,  Social  Security  numbers 
and  income  information— an  iden¬ 
tity  thief  s  Valhalla.  The  company 
suspected  that  the  laptop  was 
stolen  merely  for  resale  value,  but 
it  wanted  to  know  from  Westin 
whether  it  should  notify  the  em¬ 
ployees  that  their  information’s 
security  was  in  potential  jeopardy. 
At  the  time  he  advised  the  com¬ 
pany  to  not  directly  notify  employ¬ 
ees  but  make  some  contacts  within 
the  employee  group  so  that  if  any 
information  was  used  improperly,  they  would 
hear  about  it  quickly;  contact  the  police  in  case 
the  laptop  turned  up  at  a  pawn  shop;  and  cer¬ 
tainly  require  salespeople  to  encrypt  their  files 
in  the  future.  Hundreds  of  companies  will  now 
face  this  same  dilemma  without  the  option  of 
taking  a  wait-and-see  attitude. 

Yet,  regardless  of  who  manages  privacy,  the 
CSO’s  role  is  to  bridge  the  gap  between  what 
is  promised  and  what  is  possible.  “The  CSO 
has  to  to  carry  out,  understand— and  if  nec¬ 
essary,  challenge— the  assumptions  of  policy¬ 
makers,  especially  when  those  policies  place  a 
demand  on  systems  that  the  CSO  knows  can’t 
be  met,”  says  Westin.  These  evolving  stan¬ 
dards  further  underscore  the  importance  of 
having  the  security  and  privacy  policies  and 
practices  inextricably  linked  so  that  each  sup¬ 
ports  the  other.  ■ 


Send  Senior  Editor  Daintry  Duffy  feedback  via  e-mail  at 
dduffy@cxo.com. 


Learn  how  to  protect  your  customer  data  by  revisiting 
some  well-known  privacy  gaffes  of  the  past.  Read 
“Worst  Practices  in  Customer  Privacy  Management,"  a 
CSOonline  ANALYST  REPORT  from  Gartner.  To  get 
there  in  a  jiffy,  type  the  DocID  number  (above)  into  the 
search  box  at  www.csoonline.com. 


Worst  Practices  for  Privacy 


54  www.csoonline.com  August  2003 


PHOTO  BY  PATRICK  NICHOLS 


Your  Enterprise  Monday  10:32  A.M 


Now  you  can  know 
what,  when,  where 
and  how  data  change 
has  occurred. 


Tripwire®  assures  the  integrity  of  your  data 
and  gives  you  the  ability  to  effectively 
pinpoint  and  manage  undesired  change 
across  all  your  servers  and  network  devices. 
By  establishing  a  baseline  of  data  in  its 
known  good  state,  Tripwire  software  monitors 
and  reports  any  changes  to  that  baseline 
and  enables  rapid  discovery  and  recovery 
when  an  undesired  change  occurs. 

Maximize  System  Uptime 

■  Identify  change  quickly 

■  Enable  quick  restoration  to  a  desired  state 

■  Eliminate  risk  and  uncertainty 

Failsafe  Foundation  for  Data  Security 

■  Ensure  the  integrity  of  your  data 

■  Enable  detailed  audit  reporting 

■  Granular  visibility  and  control 

Lower  Costs  and  Frustration 

■  Greatly  reduces  the  time  it  takes  to 
find  and  diagnose  problems 


Tripwire’s  data  integrity  assurance  solutions 
are  the  only  way  to  have  100%  confidence 
that  your  systems  remain  uncompromised. 
In  the  event  of  a  change  in  state,  you’ll 
know  exactly  what,  when,  where  and 
how  change  has  occurred  so  you  can 
recover  quickly. 


For  a  FREE  30-day  fully-functional  demo 
and  copy  of  the  white  paper  “Data  Integrity 
Assurance  in  a  Layered  Security  Strategy...”, 

call  toll-free:  1 -800-TRIPWIRE  (874.79 47) 
or  visit  http://cso.tripwire.com  today! 


THE  DATA  INTEGRITY  ASSURANCE  COMPANY 


i  Copyright  2003.  Tripwire  and  the  Tripwire  logo  are  registered  trademarks  of  Tripwire,  Inc. 


WHERE 


Issues  ►  Ideas  ►  Impact 


JW  Marriott  Desert  Ridge 
Resort  &  Spa 
Phoenix,  AZ 


Nov.  2-4,  2003 


www.cio.com/conferences 
or  800.366.0246 


You  Know  Where  You  Want  To  Go 

How  Do  You  Get  There? 


THE  ISSUES  economic  outlook  |  ethics  in  action  |  security  concerns  |  privacy  mandates  ! 
backlash  to  globalization  |  social  trends  |  regulatory  issues  |  domestic  &  foreign  policies  |  loss  of  IT 
jobs  to  outsourcing  |  leadership  |  emerging  technologies  |  state  of  IT  education  |  business  alignment 
|  vendor  consolidation  |  governance  |  resource  allocation  |  business  continuity 


Tap  the  collective  minds  of  hundreds  of  CIOs  at  CIO  1 04 


Presented  by 


The  Resource  for 
Information  Executives 


Sponsored  by 

■T  iny 

KEANE 


SfA'i 


tSAVVIS 


The  Network  that  Powers  Wall  Street" 


*0 


CIO  1 04— a  CIO  Perspectives® Conference  |  www.cio.com/conferences 


What  Every  CSO 
Needs  to  Know  About  PKI 


Technologies  Tools 
and  Tactics 


s-:? 


SB 


*But  was  afraid  to  ask  By  Simson  Garfinkel 


AST  MONTH  we  discussed  public-key 
cryptography,  a  mathematical  system  for 
scrambling  information.  You’ll  recall  that 
with  public-key  cryptography,  encryption  is 
performed  with  two  mathematical  keys:  one 
that  users  keep  secret,  called  the  private  key, 
and  one  that  they  can  freely  distribute,  called 
the  public  key.  These  “keys”  are  really  noth¬ 
ing  more  than  a  sequence  of  numbers,  typi¬ 
cally  several  hundred  digits  long.  What’s 
important  is  that  the  two  numbers  are  cre¬ 
ated  together  and  paired,  and  that  anything 
encrypted  with  the  public  key  can  be 
decrypted  only  with  the  secret  key. 

Back  in  the  1970s,  the  inventors  of  public- 


key  cryptography  thought  that  people  would 
one  day  publish  their  public  keys  in  some 
kind  of  directoiy— such  as  a  phone  directory 
but  with  hundred-digit  keys  instead  of  phone 
numbers.  That  way,  if  someone  you  had 
never  met  wanted  to  send  you  a  private  mes¬ 
sage  over  an  electronic  network,  that  person 
could  look  up  your  public  key  in  the  directory 
and  then  use  the  key  to  encrypt  the  message. 
When  you  got  the  message,  you  could  decrypt 
it  with  your  private  key.  (Although  the  idea 
of  using  encryption  for  e-mail  might  seem 
visionary  for  the  1970s,  it  really  wasn’t:  Pro¬ 
fessors  and  graduate  students  at  MIT  had 
been  sending  e-mail  to  each  other  since  the 


early  1960s  and  were  well  acquainted  with 
the  privacy  problems  that  arose  from  it.) 

Shortly  after  the  creation  of  public-key 
cryptography,  people  noticed  a  potential 
problem:  I  mean,  how  do  you  know  that  the 
key  printed  in  the  public  directoiy  next  to 
the  name  “Simson  Garfinkel”  really  belongs 
to  me  if  you  have  never  met  me  before?  As  it 
turns  out,  there’s  really  no  way  to  know  lor 
sure.  You  need  to  trust  the  company  that 
published  the  directory  and  hope  the  key  in 
the  directory  really  belongs  to  me  and  not  to 
some  shadowy  organization  thats  secretly 
intercepting  my  e-mail. 

To  protect  the  integrity  of  information, 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 


August  2003  www.csoonline.com  57 


Machine  Shop 


§ 


Fraud  Finders 

William  Gibson,  the  author  widely  known  for  coining 
the  term  cyberspace,  released  the  novel  Pattern 
Recognition  earlier  this  year.  The  book  (like  some  of 
Gibson’s  other  works)  features  a  protagonist  with  an 
intuitive  ability  to  detect  nonobvious  patterns  in  huge 
amounts  of  data.  Although  Gibson  is  considered  a 
science-fiction  writer,  Pattern  Recognition  is  set  in 
modern  times— which  is  appropriate  because  pattern 
recognition  technology  most  likely  already  has  a 
place  in  your  toolkit  and  is  being  evermore  applied 
in  the  security  field. 

One  of  the  most  common  areas  for  applying  pat¬ 
tern  recognition  is  financial  fraud  detection.  Software 
scans  reams  of  transactional  data,  looking  for  anom¬ 
alies  that  might  result  from  fishy  business.  This 
process  leads  to  a  never-ending  arms  race  of  sorts: 
As  detection  methods  become  more  sophisticated, 
fraud  perpetrators  have  to  use  more  ingenious  meth¬ 
ods  themselves  to  avoid  getting  nabbed. 

Penny  Gillespie,  a  senior  analyst  at  Forrester 
Research,  says  that  this  race  is  as  old  as  fraud  itself. 
For  years,  all  transactions  over  a  certain  limit  (say 
$10,000)  have  been  automatically  checked  for  fraud. 
Knowing  that,  criminals  started  making  multiple 
smaller  transactions.  So  now  banking  software  is 
being  fine-tuned  to  examine  the  smaller  transactions 
and  look  for  repeated  withdrawals  within  a  short  time 
frame,  ATM  cards  used  far  from  their  usual  geo¬ 
graphic  locations,  and  other  more  subtle  indicators 
that  something’s  amiss. 

Gillespie  offers  two  illustrations  from  personal 
experience.  Twice  her  credit  card  issuer  has  called 
to  verify  that  her  card  was  being  used  by  its  legiti¬ 
mate  owner.  The  first  time,  Gillespie  (who’s  based 
in  Virginia)  was  doing  some  shopping  on  a  trip  to 
New  York  City.  “That’s  a  pretty  usual  [situation 
for  verification] — the  card  company  was  seeing 
relatively  large  purchases  outside  of  my  normal 
region,”  she  says.  The  second,  more  recent  call,  how¬ 
ever,  was  over  a  single  $15  purchase  at  her  usual  gas 
station.  “I  asked  why  they  were  calling  over  such  a 
small  amount,  and  they  said,  ‘You’ve  never  pur¬ 
chased  gasoline  with  this  card  before.’  And  they  were 
right-1  usually  use  a  debit  card,  but  on  that  occasion 
I  didn’t  have  the  debit  card  with  me,"  she  says. 

A  recent  product  announcement  in  the  field  was 
that  of  Unisys'  early-June  release  of  the  Active  Risk 
Monitoring  System  (ARMS),  a  software  suite  for 
detecting  financial  fraud.  Gillespie  lists  a  host  of 
other  software  and  service  providers  in  this  area,  a 


we  rely  on  an  aspect  of  public-key  cryp¬ 
tography  called  digital  signatures.  In¬ 
stead  of  having  you  encrypt  a  message 
with  my  public  key  and  send  it  to  me,  I 
encrypt  the  message  with  my  private  key 
and  send  it  to  you.  If  you  can  decrypt 
that  message  with  my  public  key,  then 
you  know  that  the  message  had  to  have 
been  signed  with  my  private  key— 
mathematically  there’s  simply  no  refuting 
this  fact.  So  as  long  as  I  am  the  only  per¬ 
son  who  has  my  private  key,  you  can 
assume  that  the  message,  in  fact,  came 
from  me! 

Digital  signatures  can  be  used  to  sign 
any  kind  of  digital  information,  such  as 
an  e-mail  message  or  a  purchase  order. 
The  company  that  printed  the  directory 
could  digitally  sign  the  entire  directory 
with  its  private  key.  Before  you  use  my 
key  to  send  me  a  message,  you  first  ver¬ 
ify  the  digital  signature  using  your  copy 
of  the  publisher’s  public  key. 

In  practice,  publishers  don’t  sign  the 
entire  directory;  they  sign  each  individual 
directory  entry— called  “certificates”— be¬ 
cause  they  consist  of  a  person’s  name, 
her  public  key  and  a  digital  signature  cre¬ 
ated  with  the  publisher’s  private  key.  The 
popular  X.509v3  certificate  format  allows 
all  kinds  of  information  to  be  embedded 
into  a  certificate  and  digitally  signed. 
Because  they  issue  these  certificates,  we 
call  the  publishers  “certificate  authori¬ 
ties,”  or  CAs.  These  days  the  whole  sys¬ 


tem  of  directories,  certificates  and  CAs 
goes  by  the  buzzword  public-key  infra¬ 
structure,  or  simply  PKI. 

To  send  me  an  encrypted  message,  all 
you  do  is  go  to  that  directory,  search  for 
my  name,  download  my  certificate,  verify 
it  with  your  copy  of  the  publisher’s  public 


key  and  then  use  the  copy  of  my  public 
key  that’s  on  my  certificate  to  send  me  an 
encrypted  e-mail  message.  It’s  a  compli¬ 
cated  process;  but  fortunately,  the  code 
that  implements  the  process  is  built  into 
Outlook,  Netscape  Navigator  and  many 
other  programs. 

Notice  how  the  entire  strength  of  this 
system  rests  upon  four  things:  the  soft¬ 
ware  that  does  the  encryption,  your  copy 
of  the  publisher’s  public  key,  the  pub¬ 
lisher’s  trustworthiness  and  the  private 
keys.  Your  e-mail  client  might  not  actu¬ 
ally  encrypt  the  message,  or  it  might  send 
an  encrypted  blind  copy  to  Siberia.  Alter¬ 
natively,  someone  could  infiltrate  the 
certificate  authority  and  have  it  issue 
certificates  in  my  name  that  have  his 
keys.  Or  he  could  simply  steal  my  private 
key.  If  any  of  these  things  happens,  the 
security  offered  by  PKI  is  lost. 

That,  in  a  nutshell,  is  what  PKI  is  all 
about— it’s  a  certificate  authority’s  prom¬ 
ise  about  the  identity  of  a  person  or  busi¬ 
ness  that  has  possession  of  a  private  key. 
Of  course,  PKI  is  also  much,  much  more 
complicated. 

During  the  past  10  years,  there  has 
been  a  Herculean  effort  to  incorporate 
the  principles  and  technology  of  PKI  into 
many  aspects  of  our  business  and  per¬ 
sonal  lives.  The  first  step  was  to  distrib¬ 
ute  software  that  could  understand  and 
verify  digital  certificates.  Netscape  Nav¬ 
igator,  the  first  such  program,  used  PKI 


to  verify  the  digital  certificates  on  so- 
called  secure  websites.  By  “secure,”  Net¬ 
scape  meant  that  the  website  could  be 
accessed  using  the  SSL  encryption  pro¬ 
tocol.  An  aggressive  public  education 
campaign  cominced  many  people  that  it 
wasn’t  safe  to  send  credit  card  numbers 


Early  public-key  systems  used  the 
same  keys  for  both  sealing  and  signing. 


Today’s  systems  use  separate  keys  for  these 
two  functions  for  a  variety  of  technical  and 
political  reasons. 


58  www.csoonline.com  August  2003 


over  the  Internet  unless  those  numbers 
were  encrypted  with  SSL.  Because  Net¬ 
scape  sold  the  only  SSL-enabled  Web 
server,  the  company  took  off. 

But  while  the  use  of  PKI  increased 
Netscape’s  stock  price,  it  didn’t  do  a  whole 
lot  to  actually  provide  security  to  credit 
card  transactions.  SSL  server  certificates 
give  users  an  encrypted  channel  to  a  Web 
server,  but  it’s  up  to  the  users  to  examine 
the  certificate  and  see  if  the  name 
matches  with  whom  they  wish  to  com¬ 
municate.  For  example,  if  you  connect  to 
a  website  like  www.store.palm.com  and 
want  to  find  out  if  the  site  is  really  oper¬ 
ated  by  Palm  or  not,  you  should  be  able  to 
look  at  the  Organization  and  Organiza¬ 
tion  Unit  fields  of  the  certificate  and  find 
out  who  it  was  really  issued  to— that  is, 
provided  that  the  CA  that  issued  the  cer¬ 
tificate  did  its  job  properly,  and  provided 
that  the  company  that  got  the  certificate 
didn’t  lose  control  of  its  private  key. 

That’s  the  theory.  But  in  the  years 
since  SSL  certificates  have  been  widely 
deployed,  practice  has  become  quite  lax. 
When  I  looked  at  the  certificate  that  cer¬ 
tifies  the  publisher  of  Palm  Computing’s 
Palm  Store  in  July,  for  example,  I  dis¬ 
covered  that  there  was  no  meaningful 
information  inside  the  cert’s  Organiza¬ 
tion  and  Organization  Unit  fields.  Most 
people  don’t  notice  this,  of  course,  be¬ 
cause  the  user  interfaces  of  Internet 
Explorer  and  Netscape  Navigator  make  it 
so  very  difficult  to  actually  look  at  the 
fields  on  the  certificate.  Who  is  to  blame? 
It  turns  out  that  the  fault  here  lies  with 
Equifax,  the  CA  that  apparently  issued 
the  certificate. 

Of  course,  the  big  dollars  in  PKI 
aren’t  with  server  certificates— the  big 
payoff  comes  when  people  like  you  and 
me  start  getting  client-side  certificates 
that  allegedly  verify  our  identity  when 
we  connect  to  a  secure  server  using  SSL 
or  special  purpose  software.  Client-side 
certificates  let  computers  use  posses¬ 
sion  of  a  private  key  as  an  identifier.  In 
theory  this  is  better  than  using  pass¬ 
words  or  biometrics  because  the  com¬ 
puter  that  verifies  your  identity  needs 
only  your  public  key.  That  prevents  the 
verifying  computer  from  stealing  your 


password  and  then  impersonating  you 
to  a  third  party.  This  is  what  PKI  advo¬ 
cates  mean  w’hen  they  say  PKI  prevents 
identity  theft. 

One  problem  with  client-side  certs  is 
that  you  need  a  way  to  prove  your  iden¬ 
tity  to  the  CA  in  the  first  place.  Another 
problem  is  that  you  need  a  secure  place  to 
keep  your  private  key;  most  people  aren’t 
good  at  memorizing  hundred-digit  num¬ 
bers.  Typically,  keys  themselves  are 
encrypted  with  some  sort  of  pass-phrase 
and  either  stored  on  a  hard  disk  or  in  a 
smart  card.  As  a  result,  the  security  of 
most  PKI  systems  frequently  degenerates 
into  the  security  of  traditional  password- 
based  systems  instead. 

Another  problem  is  differing  inter¬ 
pretations  of  what  it  means  to  use  a 
client-side  certificate.  With  Microsoft’s 
Internet  Explorer,  when  you  use  your 
digital  certificate  it’s  a  big  deal,  like  you 
are  signing  some  kind  of  legal  document. 
But  with  Netscape  Navigator,  your  secret 
key  can  be  used  automatically,  transpar¬ 
ently,  and  without  your  knowledge, 
whenever  you  touch  a  website  that  asks 
for  a  signature.  With  either  system,  you 
don’t  always  know  exactly  what  you  are 
signing— you  just  know  what  your  com¬ 
puter  says  you  are  signing.  It’s  entirely 
possible  that  your  computer  might  be 
infected  with  a  Trojan  Horse  that  says 
you  are  signing  one  document,  when  in 
fact  you  are  signing  another.  Supporters 
of  PKI  who  claim  that  PKI  provides 
“nonrepudiation”  of  business  contracts 
and  other  legal  documents  invariably 
gloss  over  that  point. 

Not  surprising,  the  most  successful 
PKI  deployments  are  at  organizations 
that  have  already  verified  the  identity  of 
their  employees  and  members:  For  these 
organizations,  PKI  helps  improve  secu¬ 
rity  by  eliminating  passwords  with  an 
infrastructure  that  supports  single  sign- 
on.  But  in  many  other  situations,  a  com¬ 
pelling  case  for  PKI  as  it  is  currently 
envisioned  has  yet  to  be  made.  ■ 

Simson  Garfinkel,  CISSP,  is  a  technology  writer  based 
in  the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enter¬ 
prises,  an  information  warfare  software  company.  He 
can  be  reached  at  machineshop  ^cxo.com. 


varied  roster  including  Fair,  Isaac  &  Co.,  Equifax, 
Mantas  and  Searchspace. 

Unisys  says  a  key  selling  point  for  ARMS  is  that  it 
examines  transactions  in  real-time,  rather  than  scan¬ 
ning  warehoused  data  after  the  fact.  Warehousing  can 
be  quite  effective  in  certain  applications  as  well,  how¬ 
ever.  In  July,  SAS  issued  a  release  about  the  use  of  its 
business  intelligence  software  for  fraud  detection  at 
Fireman’s  Fund  Insurance  Co.,  saying  the  company 
saves  upward  of  $20  million  per  year  by  sussing  out 
false  insurance  claims.  This  case  study  highlights  one 
of  fraud  detection  software’s  outstanding  characteris¬ 
tics,  given  the  current  economic  state:  The  return  on 
investment  for  such  purchases  can  often  be  directly 
placed  on  the  corporate  bottom  line. 

Underlying  most  pattern  recognition  products  is 
the  technology  formerly  known  as  artificial  intelli¬ 
gence,  or  Al.  Al  got  such  a  bad  rap  because  its  early 
commercial  implementations  didn’t  live  up  to  their 
hype,  and  the  term  is  now  largely  discarded  in  favor 
of  “neural  networks"  or  nonspecific  monikers  like 
“business-rules-driven  software.”  But  Al  and  pattern 
recognition  support  biometric  access  control  devices 
and  antiterrorism  facial  recognition  software.  And 
they  can  be  applied  to  examine  anything  that  pro¬ 
duces  large  transaction  volumes:  stock  and  currency 
trades,  border  crossings,  phone  records,  and  register- 
and  store-level  cash  flows.  The  government  uses  pat¬ 
tern  recognition  to  help  track  down  money  laundering 
operations;  Forrester’s  Gillespie  says  she  has  seen 
software  vendors  with  very  sophisticated  examples 
of  applied  Al  in  that  arena. 

Wherever  it’s  applied,  pattern  recognition  amounts 
to  an  attempt  to  automate  the  experienced  security 
practitioner’s  gut— the  ability  to  eyebaU  a  situation 
and  say,  “Something’s  not  right  here.” 

-Derek  Slater 


PHOTO  BY  GETTY  IMAGES 


August  2003  www.csoonline.com  59 


CSO  Undercover 


</rr.  N 


h 


Value  Proposition 

If  you’re  going  to  sell  security  to  your  CFO— and  others  in 
the  organization— you’d  better  know  what  matters  to  them 

By  Anonymous 


AST  WEEK,  MY  COMPANY’S  CFO,  Bob  Beancounter,  popped  in  to  my 
office  and  dropped  a  bombshell.  “I  need  some  solid  evidence  that  your  security  pro¬ 
grams  are  contributing  to  the  organization’s  productivity,  its  competitiveness 
and  ultimately  its  bottom  line,”  he  said  without  a  hint  of  apology. 

“Evidence?”  I  asked  him.  And  then  repeated  it,  as  if  auditioning  for  a  role  in 
some  cheesy  made-for-TV  drama.  “Evidence?  Hmm.  You’ve  got  to  help  me  with 
this  one,  Bob,”  I  said  slyly.  “I  mean,  how  do  you  calculate  the  cost  of  a  bad 
employee?”  I  reminded  him  that 
we  had  been  steered  clear  of  hiring 
hundreds  of  people  in  the  past  sev¬ 
eral  years  as  a  result  of  what  we 
had  discovered  during  our  back¬ 
ground  investigations— costing 
only  about  $125  each.  “Do  you 
think  more  than  a  few  of  those  V^VL' 

rejects  might  have  cost  us  some 
serious  money  had  we  hired  them?” 

I  asked. 

“Well,  I...,”  he  stumbled.  But  I 
had  already  started  down  a  path 
of  no  return. 

“Huh.  We  can  demonstrate  how 
our  security  measures  contribute 
to  shareholder  value  due  to  lower 
losses  per  dollar  of  sales  versus  the 
competition.  And,  by  the  way,  we 
have  fewer  security  personnel  per 
employee  than  any  of  our  com¬ 
petitors,”  I  added. 

“And  I  recall  that  we  were  back 
in  business  before  our  competitors 
were  after  9/11  because  we  had 
adequately  planned  and  tested 
business  resumption  plans,”  I 
cited.  “I  remember  that  the  CEO 

made  some  real  hay  with  that  one  at  the  annual  meeting.” 

But  I  wasn’t  done.  “Because  of  our  preventive  and  detective  tools,  we  haven’t 
had  even  one  minute  of  downtime  due  to  the  increasingly  serious  viruses  and 
worms  that  hit  us  on  a  regular  basis.  Has  that  helped  productivity  and  the  bottom 
line?”  I  asked. 


60  www.csoonline.com  August  2003 


Then  I  wondered  aloud  if  he  had  checked  with  risk 
management  lately.  “Our  insurance  premiums  have  all 
been  reduced  since  they  reviewed  our  safeguards,”  I  told 
him.  “And  remember  that  company  marketing  wants  to 
hire  to  manage  phone  sales?  You  should  have  seen  the 
incredible  holes  we  found  in  their  information  protection 
program.  Can  you  help  me  figure  the  cost  if  they  had  lost 
our  customers’  credit  card  numbers  or  other  sensitive 
information  as  a  result?” 

Finally,  I  mentioned  how  Mrs.  Jameson  might  put  a 
dollar  value  on  the  security  here:  One  of  our  security  offi¬ 
cers  saved  her  husband’s  life  a  few  weeks  back  by  using  the 
defib  after  he  had  a  heart  attack.  It  took  the  EMTs  30 
minutes  to  get  here,  but  our  guys  were  there  in  three. 

Yup,  Mr.  Beancounter,  I  think  we’re  doing  our  part  in 
contributing  to  the  bottom  line  in  this  organization.  But 
we  also  do  so  much  more  than  that.  At  the  end  of  the  day, 
I  think  what  we  are  about  is  helping  the  company  run  its 
business  in  a  risky  world.  Maybe  it  doesn’t  end  up  on 
your  balance  sheet  as  a  line  item,  but  I’d  bet  the  bottom 

line  that  the  bottom  line  would  be 
a  lot  smaller  if  we  didn’t  do  what 
we  do  around  here. 

Eyes  Wide  Open 

Now,  I’d  love  to  have  a  buck  for 
every  discussion  I’ve  been  a  part  of 
that  wondered  how  the  corporate 
security  team  could  demonstrate 
to  the  bean  counters— and  to  ma¬ 
hogany  row,  for  that  matter— that  it 
is  far  more  than  just  another  cost 
center. 

All  you  need  to  do  is  look  back  at 
the  past  decade  to  see  that  security 
is  a  fundamental  element  of  core 
business  processes.  Start  with  the 
Corporate  Sentencing  Guidelines 
or  all  the  high-level  resignations 
due  to  phony  experience  creden¬ 
tials.  Or  consider  international— 
and  now  domestic— terrorism 
threats.  Or  think  about  intellectual 
property  theft  and  product  diver¬ 
sion.  What  about  the  high-level 
internal  misconduct  and  criminal 
activity,  and  the  daily  reality  of 
cybercrime  and  business  interrup¬ 
tion?  Look  at  any  one  of  those  areas,  and  you’ve  got  your¬ 
self  a  good  case  for  the  bean  counters. 

Yet  I’ve  worked  for  executives  who  never  saw  the  real 
value  without  my  persuasion.  They  thought  that  any  activ¬ 
ity  that  couldn’t  demonstrate  a  direct  contribution  to  the 

ILLUSTRATION  BY  ARTHUR  E.  GIRON 


A=G 


revenue  stream  and  profit  margin  was  an 
albatross  around  the  neck  of  the  company. 
They  never  took  the  time  to  understand  our 
mission  and  its  relationship  to  the  protec¬ 
tion  of  the  enterprise. 

I  say  this  with  no  apologies:  CSOs  are 
enablers.  We  provide  services  that  allow  the 
enterprise  to  meet  business  risk  with  its  eyes 


wide  open.  Its  value  is  in  managing  risk.  I 
mean,  if  you  want  to  own  buildings  with  big 
rents  for  tenant  businesses,  you’d  better  have 
good  life-safety  systems  and  procedures.  If 
you  want  to  do  e-commerce,  you’d  better  pro¬ 
vide  a  secure  means  for  customers  to  deal 
with  you.  If  you  handle  other  people’s  money, 
you’d  better  have  in-depth  controls  around 
integrity.  If  you  want  to  build  a  business  in  a 
risky  foreign  environment,  you’d  better  have 
security  on  your  agenda. 

U.S.  business  is  going  through  an  evolu¬ 
tion  of  sorts  when  it  comes  to  security  and  its 
growing  role  within  business  operations. 
Thirty  or  40  years  ago,  we  moved  from  the 
basics  of  general  asset  protection  to  more 
risk-focused  content  prompted  by  negligent 
security  litigation,  safe  and  secure  issues  of 
employment  law,  and  increasing  notice  of 
workplace  violence.  As  the  American  work¬ 
place  moved  into  ever-increasing  technolog¬ 
ical  complexity  and  reliance,  the  threats 
became  more  sophisticated,  and  remote  and 
business  continuity  took  on  new  meaning. 

With  the  ’90s  came  the  corporation  as 
criminal  defendant,  Internet  connectivity, 
business  conduct  issues  and  the  need  for 
secure  e-commerce.  Then  the  millennium 
brought  us  the  reality  of  terrorism,  anthrax, 
SARS  and  major  concerns  for  the  adequacy 
of  internal  controls  and  ethical  standards. 
In  this  short  period,  not  only  the  concept  of 
“corporate  security”  but  the  standing,  skills 
and  competencies  of  those  who  deliver  the 


wide  assortment  of  business  protection  serv¬ 
ices  have  expanded  dramatically,  culminat¬ 
ing  in  the  notion  of  the  chief  security  officer. 
We  are  talking  about  CSOs  these  days  be¬ 
cause  the  nature  of  threat,  vulnerability  and 
business  risk  is  expanding  and  the  corner 
office  wants  a  cohesive  and  comprehensive 
protection  strategy. 


Do  your  own  history  lesson.  Look  at  the 
reporting  relationship,  compensation  and 
senior  management  awareness  of  these 
aspects  of  operational  risk  within  your  com¬ 
pany  and  other  organizations  with  which  you 
are  familiar.  The  business  world  is  far  riskier 
today  than  40  years  ago,  and  it  isn’t  likely  to 
get  any  easier. 

Full-Service  Security 

So— with  this  evolution  in  progress  and  a 
seemingly  acknowledged  need  for  a  senior 
security  executive  within  the  management 
team— why  do  we  CSOs  continue  to  find  our¬ 
selves  wringing  our  hands  about  the  value 
we  bring  to  the  table? 

I  think  we’ve  done  a  lousy  job  of  selling  the 
evolution  and  central  governance  roles  of  a 
full-service  security  program  to  thought  lead¬ 
ers  in  business.  I’d  also  not  hesitate  to  put 
audit  committees— even  the  Big  Whatever- 
Number-It-Is-Now  accounting  firms  and  the 
so-called  consultancies  that  serve  mahogany 
row  and  the  business  schools— on  the  deten¬ 
tion  list  as  well.  I  don’t  give  a  hoot  who  runs 
the  full-service  security  program  just  as  long 
as  it  encompasses  all  of  the  pieces  and  is 
directed  with  a  recognition  of  how  the  indi¬ 
vidual  parts  can  cost-effectively  contribute 
to  enterprise  protection. 

I  know  security  can  be  a  hard  sell,  not  only 
because  it  adds  cost  but  because  our  “clients” 
see  our  programs  as  adding  inconvenience  or 
cumbersome  steps  in  business  processes.  But 


we  all  know  the  rules  have  changed  in  these 
past  several  decades,  and  good  old  Bobby 
Beancounter  knows  that  as  well.  Don’t  forget 
that  CFOs  are  risk  managers  at  their  core, 
and  they  know  we  live  in  a  much  riskier 
world  these  days. 

Every  enterprise  is  different,  and  the  secu¬ 
rity  story  is  equally  diverse.  CSOs  have  to 
find  the  hook  that  works  within  their  unique 
corporate  culture.  This  has  to  be  the  focus  of 
the  products  we  develop  and  sell.  Big,  com¬ 
plex  technical  environment?  Big  need  for  in- 
depth  safeguards  and  redundancies.  Other 
people’s  money?  Trust  and  integrity.  We  all 
have  a  story  that  matches  our  company’s  risk 
profile  and  culture.  What  some  of  us  have 
not  done  well  is  package  the  story  for  the 
multiple  audiences  we  have.  There  are  hooks 
for  Bobby  Beancounter  that  will  ring  his 
chimes,  and  there  are  different  ones  for  the 
audit  committee,  the  CEO,  the  CIO  and  so 
forth.  If  you  are  at  the  table,  you  will  know 
what  hooks  work  with  each  executive  and 
how  to  package  the  story. 

I  think  the  notion  of  adding  value  is  a 
many-sided  story  in  itself.  As  I  said  in  my 
pitch  to  our  CFO,  we  can  show  how  our 
efforts  avoid  clearly  measurable  risk.  We  can 
demonstrate  in  any  number  of  ways  these 
days  how  we  contribute  to  our  firm’s  com¬ 
petitiveness.  I  obviously  had  not  “sold”  Mr. 
Beancounter  prior  to  his  visit.  My  fault.  He’s 
the  guy  who  whispers  in  the  CEO’s  ear  on 
cost  management,  after  all!  If  your  organi¬ 
zation  is  doing  its  job  well,  you  have  tons  of 
data,  metrics  and  risk  mitigation  stories  to 
support  your  cost  and  put  the  value  equa¬ 
tion  in  perspective.  Advertise  successes. 
Think  of  signs  at  construction  sites  saying 
“254  days  accident  free!”  What  signs  might 
each  of  your  programs  have  on  the  wall?  At 
your  periodic  meetings  with  senior  manage¬ 
ment,  have  some  bullets  on  metrics  and  a 
story  or  two  keyed  to  that  manager’s  hot  but¬ 
tons.  It  works. 

Value  is  in  the  eye  of  the  beholder.  Our 
products  are  often  hard  for  the  business  to 
understand  and  see.  Know  your  clientele  and 
open  their  eyes  with  the  facts.  ■ 

This  column  is  written  anonymously  by  a  real  CSO. 
For  reader  feedback,  send  us  an  e-mail  message  at 
csoundercoverficxo.com. 


Maybe  it  doesn’t  end  up  on  the  balance 
sheet  as  a  line  item,  but  I’d  bet  the  bottom  line 
that  the  bottom  line  would  be  a  lot  smaller  if 
security  didn’t  do  what  we  do. 


August  2003  www.csoonline.com  61 


Sales  and 
Services 

CSO  Sates  Offices 

President  Walter  Manninen  •  508  935-4101 
Group  Publisher 
Gary  J.  Beach  •  508  935-4202 
Publisher  Bob  Bragdon  •  508  935-4443 
Executive  VP  Sales/Custom  Publishing 
Ellen  Romanow  •  508  935-4796 

East  Coast 

Eastern  Regional  Sales  Manager 
Paul  Reiss  •  508  935-4163 
Eastern  Regional  Account  Executive 
Kim  Forrest  •  508  935-4068 
Senior  Regional  Manager 
Kathy  Powers  •  973  244-4041 

Midwest 

Regional  Director 
Robert  E.  Sawdon  •  512  306-9801 
Regional  Sales  Manager 
Christopher  Nolan  •  847  441-5005 

West  Coast 

Western  Regional  Sales  Manager 
Mary  Sinclair  •  415  975-2691 
Senior  Regional  Manager 
Jane  Evans  •  415  975-2680 
Regional  Manager 
Ai  Collins  •  415  975-2686 
Regional  Sales  Manager 
Chris  Bramel  •  949  475-5579 

List  Services 

List  Services  Director 

Kathryn  A.W.  Marston  •  508  935-4072 

List  Services  Account  Executive 

Stephanie  Roy  •  508  935-4151 

List  Services  Coordinator 

Kim  Cormican  •  508  935-4152 

Online  Services 

VP/Online  Sales 
Lisa  Brown  •  508  935-4470 
Online  Sales  Manager 
Michael  McPhee  •  508  935-4611 

Custom  Publishing 

Group  Director  Michael  Siggins 
Director  Mary  Gregory 
Director  of  Content  Development 
Tom  Field 

Project  Managers  John  Danielowich, 

Amy  Greenleaf 

Graphic  Designer  Chris  Brown 


Production 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Lee  Tuttle 
Senior  Production  Coordinator 
Lisa  Stevenson 

Executive  Programs 

EP  Senior  Vice  President 

Jennifer  Richards 

Conference  Management  VP 

Cynthia  Mollus 

Marketing  Services  Director 

Shellie  Rapson  James 

Business  Development  VP  John  Amato 

Program  Operations  Manager  Brian  Fuce 

Marketing  Manager  Glede  Kabongo 

Marketing  Services  Coordinator 

Andrea  Slobogan 

Event  Development  Specialist 

Sandra  J.  Hughey 

Operations  Coordinator  Michael  Barbato 
Event  Planning  Manager  AmyTurell 
Senior  Customer  Service  Coordinator 
Sarah  Yee 

Marketing 

Executive  VP/Marketing 
Cathy  O'Leary  Hayes 

VP/News  and  Information  Susan  Watson 
Media  Relations  Manager  Karen  Fogerty 
News  and  Information  Associate 

Lori  Piscatelli 

Marketing  Research  Director 
Bridget  Cammarata 
Marketing  Research  Manager 
Carolyn  Johnson 
Sr.  Marketing  Research  Analyst 
Dylan  DiGregorio 

Marketing  Comm.  Director  Sue  Yanovitch 
Sr.  MarCom  Development  Specialist 
Kari  Curto 

Marketing  Comm.  Associate 
Sarah  Crowley 

Circulation 

Senior  VP/Circulation  Carol  A.  Spach 
Circulation  Director  Faith  Marcello 
Subscription  Svcs.  Supervisor  Tina  Pescaro 

Reprint  Services 

For  article  reprints,  please  contact 
RSiCopyright  at  651  582-3800  or  via  e-mail 
at  csoreprints@rsicopyhght.com. 

For  further  sales  information,  visit 
www.csoonline.com/reprints/index.html. 


CSO  Contact 
Information 

Editorial,  Advertising  and  Business  Offices 

492  Old  Connecticut  Path,  P.0.  Box  9208, 
Framingham,  MA  01701-9208, 

508  872-0080. 

Postal  Information 

CSO  (ISSN  1540-904x)  is  published 
monthly  by  CXO  Media  Inc.,  492  Old  Con¬ 
necticut  Path,  P.0.  Box  9208,  Framingham, 
MA  01701-9208.  Periodicals  Postage  Paid 
at  Framingham,  MA  01701,  and  at  additional 
mailing  offices.  Canadian  Publications  Mail 
agreement  number  1902075.  CANADIAN 
POSTMASTER:  Please  return  undeliverable 
copy  to  P.O.  Box  1632,  Windsor,  ON 
N9A7C9, 

Permissions 

Copyright  2003  by  CXO  Media  Inc.  All  rights 
reserved.  Reproduction  of  material  appear¬ 
ing  in  CSO  is  forbidden  without  written  per¬ 
mission.  Send  requests  to  Andrew  Burrell, 
CXO  Media  Inc.,  492  Old  Connecticut  Path, 
Framingham.  MA  01701.  Telephone 
508  935-4785.  E-mail  aburrell@cxo.com. 

Photocopy  Rights 

Permission  to  photocopy  for  internal  or  per¬ 
sonal  use  or  the  internal  or  personal  use  of 
specific  clients  is  granted  by  CSO  for  users 
through  the  Copyright  Clearance  Center, 
provided  that  the  base  fee  of  $3  per  copy 
of  the  article,  plus  $.50  per  page  is  paid 
directly  to  Copyright  Clearance  Center,  27 
Congress  Street,  Salem,  MA  01970.  Please 
specify:  ISSN  1540-904x.  Permission  to 
photocopy  does  not  extend  to  contributed 
articles  followed  by  this  symbol: 

Subscriptions 

Address  inquiries  to  CSO,  P.O.  Box  3482, 
Northbrook,  IL  60065;  866  354-1125.  CSO 
is  free  to  qualified  information  executives. 
To  all  others  the  one-year  basic  rate  is  $90 
for  the  United  States  and  Canada,  $115  to 
foreign  countries  (payable  in  U.S.  funds 
only),  The  single  copy  price  is  $9.  Please 
allow  four  to  six  weeks  for  new  subscrip¬ 
tions  to  begin. 

Change  of  Address 

Please  go  to  www.omeda.com/custsrv/cso 
and  follow  the  online  instructions. 

Postmaster 

Send  change  of  address  to  CSO,  P.O.  Box 
3482,  Northbrook,  IL  60065.  Printed  in  the 
USA. 


Index  of 
Companies  and 
Advertisers 

Page  numbers  refer  to  the  first  page  of  the 
article(s)  in  which  the  company  has  a  sub¬ 
stantial  mention.  This  index  is  provided  as  a 
service  to  readers.  The  publisher  does  not 
assume  any  liability  for  errors  or  omissions. 


Company  Index 

@Stake  Inc . 15 

Aberdeen  Group  Inc . 15 

Arch  Chemicals  Inc . 28 

Cerner  Corp . 42 

ChevronTexaco  Corp . 28 

Cigital  Corp . .' .  .34 

ConocoPhillips  . 28 

Counterpane  Internet  Security  Inc . 15 

Covenant  Health  . 34 

Crisis  Management  Worldwide  Inc . 28 

Deloitte  &  Touche  LLP  . 15 

Digimarc  ID  Systems  . 22 

Dow  Chemical  Co.,  The  . 28 

Eastman  Chemical  Co . 28 

Eli  Lilly  and  Co . 50 

Equifax  Inc . 57 

Fair,  Isaac  &  Co . 57 

Fireman's  Fund  Insurance  Co . 57 

Forrester  Research  Inc . 57 

Gartner  Inc . 42 

General  Electric  Co . 50 

HealthPartners  Inc . 42 

Highland  Capital  Partners  Inc . 8 

Intel  Corp . 34 

Kaiser  Permanente  . 42 

Kema  Consulting  Inc . 28 

Mantas  Inc . 57 

Meta  Group  Inc . 15 

Microsoft  Corp . 34 

Optum  . 42 

Royal  Bank  of  Canada  . 50 

SAS  Institute  Inc . 57 

Searchspace  . 57 

St.  Luke’s  Health  System  . 42 

TruSecure  Corp . 34 

Unisys  Corp . 57 

W.P.  Carey  &  Co.  LLC  . 34 

Advertiser  Index 

3M  . 5 

Anixter  Inc . 9 

Authenex  Inc . 25 

Check  Point  Software  . 27 

Cisco  Systems  Inc . 2 

Computer  Associates  Inti.  Inc . C4 

CXO  Media  Inc . 17,  48,  56,  63 

GuardedNet  . 11 

IBM  Corp . 21 

Intense  School  . 14 

Internet  Security  Systems  . 7 

National  Summit  on  Security  . 33 

NetlQ  Corp . 23 

Qualys  Inc . 19 

Robert  Half  Technology  . C3 

SecurityGlobal.net  . 41 

Sharp  Electronics  Corp . 12, 13 

Symantec  Corp . C2 

Tripwire  Inc . 55 


62  www.csoonline.com  August  2003 


Is  the  Best 
Mew  Publication 

[But  you  already  knew  that,  didn’t  you?] 


Often  hailed  for  its  preeminence  as  the 
“Pulitzer  Prize  of  the  business  press,”  the 
Neal  Award  is  the  business  publishing  indus¬ 
try’s  annual  salute  to  individual  editors  for 
outstanding  editorial  excellence. 

*  SOURCE:  CSO  MAGAZINE  "SECURITY  SENSOR  II,” 

DECEMBER  2002 


The  Neal  Award  judges  aren’t  the  only  ones  who  value 
CSO  magazine.  98%  of  CSO  readers  find  the  content 
of  CSO  relevant  to  their  jobs  * 


CSO  magazine  is  the  proud  recipient  of  the  prestigious 
2003  Jesse  H.  Neal  Award  for  “Best  New  Publication.” 
CSO  was  also  honored  as  first  runner-up  to  sister 
publication  CIO  magazine  for  the  Grand  Neal  Award— 
the  top  editorial  honor  granted  to  one  publication  from 
more  than  1,000  entries  across  all  categories  and 
circulation  sizes.  This  marks  the  first  time  a  new 
publication  has  received  such  prestigious  recognition 
so  early  on. 


Where  are  they  now? 


Catching  Up  with 
Melissa 


It  was  early  spring  1999.  The  Nasdaq  was 
soaring.  Three  sentences  on  a  cocktail  nap¬ 
kin  could  nab  $30  million  in  venture  capital. 
And  Melissa  became  an  overnight  sensation, 
an  Internet  starlet  and  pioneer.  Melissa 
brought  the  underground  virus  scene  to  the 
mainstream.  She  brashly  took  any  old  Word 
file  and  forwarded  it  to  50  people  in  your 
Outlook  address  book,  appending  her  viral 
payload. 

But  Melissa’s  stay  at  the  top  of  the  virus 
charts  was  brief.  Within  six  months  of  mak¬ 
ing  it  onto  CNN  and  Page  One  of  The  New 
York  Times,  Melissa  found  herself  out  of  the 
spotlight  and  out  of  work.  A  new  generation 
of  viruses,  tantalizing  the  public  with  Anna 
Kournikova  and  J.Lo,  won  the  hearts  and 


hard  drives  of  the  masses.  Meanwhile, 
Melissa  went  from  starlet  to  has-been. 

Though  Melissa  is  mostly  forgotten  by  a 
world  long  since  immunized  against  her 
charms,  CSO  tracked  her  down,  residing  on 
a  6-year-old  PC,  sold  on  eBay  for  $11  last 
year  to  a  man  who  gave  it  to  his  81-year-old 
granny  who  uses  it  as  a  calculator.  When  we 
found  her,  Melissa  was  still  trying  to  forward 
infected  Word  files,  but  without  much  suc¬ 
cess— the  computer’s  no  longer  connected 
to  the  Internet. 

CSO:  How  have  you  survived  the  past  four 
years? 

Melissa:  I  find  ways.  I  get  by.  I  look  for  those 
fools  who  can’t  help  but  click  on  an  attach¬ 


ment.  Sometimes,  I'll  set  up  in  some  PC  in 
the  Third  World,  where  there’s  plenty  of  Win¬ 
dows  95  and  Office  97.  I’ll  forward  files  50 
or  100,  heck,  1,000  times.  And  maybe  one 
or  two  get  through.  Don’t  pity  me.  I’m  not 
pathetic.  I’m  a  survivor! 

Do  you  miss  the  spotlight? 

Nah.  [Swigs  from  bottle  inside  a  paper  bag.] 
It's  not  the  same  anymore.  I  don’t  want  any 
part  of  the  current  scene.  All  these  knock-off 
viruses  are  so  derivative.  Anna  Kournikova 
naked?  Please.  Code  Red?  Pssshthth!  Cock¬ 
tail  viruses?  [Waves  bottle .]  7&7,  now  that’s 
what  I  call  a  "blended  threat.” 

They  owe  all  their  success  to  me.  You 
write  that  down.  There’s  been  what,  80,000 
or  so  viruses  since  then?  But  [points  at  her¬ 
self  defiantly ]  they  remember  my  name. 
Who'll  remember  Kakworm  in  five  years? 

No  one! 

Speaking  of  Kakworm,  also  a  Class  of  '99 
virus,  it  is  still  found  infecting  computers 
now  and  again. 

No  kidding.  Where?  Can  you  hook  me  up 
with  that  gig? 

And  Funlove,  from  the  Class  of  '01, 
reinvented  herself  as  a  virus  on  a 
Powerpuff  Girls  DVD. 

[. Hyperventilating .]  Funlove  was  nothing  with¬ 
out  me!  That  DVD  job  was  supposed  to  go  to 
me,  but  that  second-rate  worm  stole  it. 

[Pulls  paper  bag  off  bottle,  breathes  into 
it.]  But  you  know  what?  It’s  better  this  way. 
Melissa?  She  never  sold  out.  Melissa  stayed 
true  to  her  artistic  integrity.  Melissa  is  an 
original.  She’ll  be  in  the  history  books— or 
at  least  security  books  written  by  consult¬ 
ants.  I've  heard  rumors  that  a  few  boot- 
sector  viruses— you  know  those  old  ones  that 
spread  by  floppy  disks?— are  still  in  circula¬ 
tion.  Those  are  the  kinds  of  viruses  I  want  to 
hang  out  with.  Boot  sectors  on  floppies.  I  give 
them  props.  That's  old  school  right  there. 

Do  you  feel  responsible  for  the  computer 
virus  epidemic,  which  has  periodically 
disabled  massive  numbers  of  computers 
worldwide,  affected  human  productivity  and 
caused  billions  of  dollars  in  untold  damage? 
Uh,  hello!  Ever  heard  of  a  patch,  you 
morons?  ■ 


64  www.csoonline.com  August  2003 


ILLUSTRATION  BY  BRUCE  MCPHERSON 


Network  Security  Engineers  are  a  phone  call  away. 

To  keep  your  business  competitive,  you  need  the  right  IT  talent  at  just  the  right  time. 

With  more  than  100  locations  worldwide,  Robert  Half  Technology  is  a  leading  provider  of: 

•  Network  Security  Engineers  •  Network  Administrators 

•  Programmers  •  Database  Administrators 

•  Web  Developers  •  And  other  Technology  Professionals 

•  Help  Desk  Professionals 

With  our  exceptional  connections  to  the  best  technology  talent  available,  we’ll  do  more  than  provide 
cost-effective  solutions  to  your  needs  -  well  do  it  exactly  when  you  need  it. 

Call  today! 


800.793.5533  robert^  jlogy.com 


ROBERT  HALF  ® 

TECHNOLOGY 

Information  Technology  Professionals  SM 


©  Robert  Half  Technology.  EOE 


A  Robert  Half  International  Company 


r~ 


— - 1  - - ] 

L_  _ 1 

— . — | 

p  i  it  1 1 


if 


ALARM 


FIRE  y 
ALARM 


FIRE  \ 
ALARM 


EIRE  ' 


ALARM 


r 


EIRE  ' 


ALARM 


EIRE  ' 
ALARM 


EIRE  vL 


ALARM 


EIRE  \ 
ALARM 


EIRE  \ 

* 

ALARM 


EIRE^  , 
ALARM  j~ 


EIRE  ' 
ALARM 


EIRE  \ 
ALARM 


r 


r 


E  IRE  \ 

» 

ALARM 


i  1 

-ttzza  —  — 

,  'i.  :,T 

1 

i 

_T 

w  - 1 - — — 

.  T 

1  T 

EIRE  ' 
ALARM 


I 

1 

T~ 

- _ 1 _ 

1  ! 

1— — 

J  ml 

i  i  l 

1 

1 - * - - -  ~  f” 

> 1  I 

EIRE  ' 

'  i .  | 

, _  FIR  E  N  _ 

E  IRE 

'X 

EIRE 

~  “t 

-  EIRE'— .  EIRE  \ 

EIRE  ' 

ALARM  ALARM  ALARM 

1  ■ 

ALARM  ALARM  ALARM 

JP  •  ‘  _  J 

_ _L _ . _ , _ 

_ i  i 

t  n  i 

i  i  i  i  r 

BETTER  MANAGEMENT  DOES. 

The  secret  to  a  secure  enterprise  lies  in  not  just  monitoring  the  parts,  but  managing  it  as  a 
whole.  That's  exactly  what  eTriist™  lets  you  do.  In  fact,  our  eTrust"  Security  Comm;  id  Center 
is  the  perfect  solution  to  security  information  overload.  It  gives  you  the  big  picture  from  a  single 
vantage  point,  with  all  your  event  information  prioritized.  So  you  can  identify  actual  internal 
and  external  threats  before  they  can  wreak  havoc.  Anything  less  would  be,  well,  alarming. 
For  more  information  on  security  management,  go  to  c 


eTrust™ 


ACCESS  •  THREAT  •  IDENTITY 

SECURITY  MANAGEMENT  SOFTWARE 


Computer  Associates® 


©2003  Computei  Associates  International,  Inc  (CA)  All  rights  reserved. 


